Finding Security Vulnerabilities

Security vulnerabilities are any kind of software or

hardware defect. After gaining knowledge of a
vulnerability, malicious users attempt to exploit it.
An exploit is the term used to describe a program written
to take advantage of a known vulnerability. The act of
using an exploit against a vulnerability is referred to as an
attack. The goal of the attack is to gain access to a
system, the data it hosts or to a specific resource.
Software vulnerabilities
Software vulnerabilities are usually introduced by errors in
the operating system or application code, despite all the
effort companies put into finding and patching software
vulnerabilities, it is common for new vulnerabilities to
surface. Microsoft, Apple, and other operating system
producers release patches and updates almost every day.
Application updates are also common. Applications such
as web browsers, mobile apps and web servers are often
updated by the companies or organizations responsible for
them.
In 2015, a major vulnerability, called SYNful Knock, was
discovered in Cisco IOS. This vulnerability allowed
attackers to gain control of enterprise-grade routers, such
as the legacy Cisco 1841, 2811, and 3825 routers. The
attackers could then monitor all network communication
and had the ability to infect other network devices. This
vulnerability was introduced into the system when an
altered IOS version was installed in the routers. To avoid
this, always verify the integrity of the downloaded IOS
image and limit the physical access of the equipment to
authorized personnel only.
The goal of software updates is to stay current and avoid
exploitation of vulnerabilities. While some companies have
penetration testing teams dedicated to search, find and
patch software vulnerabilities before they can get
exploited, third party security researchers also specialize
in finding vulnerabilities in software.
Google’s Project Zero is a great example of such practice.
After discovering a number of vulnerabilities in various
software used by end-users, Google formed a permanent
team dedicated to finding software vulnerabilities. Google
Security Research can be found here.
Hardware vulnerabilities
Hardware vulnerabilities are often introduced by hardware
design flaws. RAM memory for example, is essentially
capacitors installed very close to one another. It was
discovered that, due to proximity, constant changes
applied to one of these capacitors could influence
neighbor capacitors. Based on that design flaw, an exploit
called Rowhammer was created. By repeatedly rewriting
memory in the same addresses, the Rowhammer exploit
allows data to be retrieved from nearby address memory
cells, even if the cells are protected.
Hardware vulnerabilities are specific to device models and
are not generally exploited through random compromising
attempts. While hardware exploits are more common in
highly targeted attacks, traditional malware protection and
a physical security are sufficient protection for the
everyday user.

Most software security vulnerabilities fall into one of the

following categories:
Buffer overflow – This vulnerability occurs when data is
written beyond the limits of a buffer. Buffers are memory
areas allocated to an application. By changing data
beyond the boundaries of a buffer, the application
accesses memory allocated to other processes. This can
lead to a system crash, data compromise, or provide
escalation of privileges.
Non-validated input – Programs often work with data
input. This data coming into the program could have
malicious content, designed to force the program to
behave in an unintended way. Consider a program that
receives an image for processing. A malicious user could
craft an image file with invalid image dimensions. The
maliciously crafted dimensions could force the program to
allocate buffers of incorrect and unexpected sizes.
Race conditions – This vulnerability is when the output of
an event depends on ordered or timed outputs. A race
condition becomes a source of vulnerability when the
required ordered or timed events do not occur in the
correct order or proper timing.
Weaknesses in security practices – Systems and
sensitive data can be protected through techniques such
as authentication, authorization, and encryption.
Developers should not attempt to create their own security
algorithms because it will likely introduce vulnerabilities. It
is strongly advised that developers use security libraries
that have already created, tested, and verified.
Access-control problems – Access control is the
process of controlling who does what and ranges from
managing physical access to equipment to dictating who
has access to a resource, such as a file, and what they
can do with it, such as read or change the file. Many
security vulnerabilities are created by the improper use of
access controls.
Nearly all access controls and security practices can be
overcome if the attacker has physical access to target
equipment. For example, no matter what you set a file’s
permissions to, the operating system cannot prevent
someone from bypassing the operating system and
reading the data directly off the disk. To protect the
machine and the data it contains, physical access must be
restricted and encryption techniques must be used to
protect data from being stolen or corrupted.
Chapter 3: Protecting Your Data and Privacy

Your computing devices store your data and are the portal to your online life. Below is a short list of steps you can
take to protect your computing devices from intrusion:

 Keep the Firewall On – Whether it is a software firewall or a hardware firewall on a router, the firewall
should be turned on and updated to prevent hackers from accessing your personal or company data.
Click Windows 7 and 8.1 or Windows 10 to turn on the firewall in the respective version of Windows.
Click here to turn on the firewall for Mac OS X devices.

 Use Antivirus and Antispyware – Malicious

software, such as viruses, Trojan horses, worms,
ransomware and spyware, are installed on your
computing devices without your permission, in
order to gain access to your computer and your
data. Viruses can destroy your data, slow down
your computer, or take over your computer. One
way viruses can take over your computer is by
allowing spammers to broadcast emails using
your account. Spyware can monitor your online
activities, collect your personal information, or
produce unwanted pop-up ads on your web
browser while you are online. A good rule is to
only download software from trusted websites to
avoid getting spyware in the first place. Antivirus
software is designed to scan your computer and
incoming email for viruses and delete them.
Sometimes antivirus software also includes
antispyware. Keep your software up to date to
protect your computer from the newest malicious
software.
 Manage Your Operating System and
Browser – Hackers are always trying to take
advantage of vulnerabilities in your operating
systems and your web browsers. To protect your
computer and your data, set the security settings
on your computer and browser at medium or
higher. Update your computer’s operating system
including your web browsers and regularly
download and install the latest software patches
and security updates from the vendors.
 Protect All Your Devices – Your computing
devices, whether they are PCs, laptops, tablets,
or smartphones, should be password protected to
prevent unauthorized access. The stored
information should be encrypted, especially for
sensitive or confidential data. For mobile devices,
only store necessary information, in case these
devices are stolen or lost when you are away
from your home. If any one of your devices is
compromised, the criminals may have access to
all your data through your cloud-storage service
provider, such as iCloud or Google drive.
IoT devices pose an even greater risk than your
other computing devices. While desktop, laptop and
mobile platforms receive frequent software updates,
most of the IoT devices still have their original
firmware. If vulnerabilities are found in the firmware,
the IoT device is likely to stay vulnerable. To make
the problem worse, IoT devices are often designed
to call home and require Internet access. To reach
the Internet, most IoT devices manufacturers rely on
the customer’s local network. The result is that IoT
devices are very likely to be comprised and when
they are, they allow access to the customer’s local
network and data. The best way to protect yourself
from this scenario is to have IoT devices using an
isolated network, sharing it only with other IoT
devices.
Click here to visit Shodan, a web-based IoT device
scanner

Use Wireless Networks Safely

Wireless networks allow Wi-Fi enabled devices,
such as laptops and tablets, to connect to the
network by way of the network identifier, known as
the Service Set Identifier (SSID). To prevent
intruders from entering your home wireless network,
the pre-set SSID and default password for the
browser-based administrative interface should be
changed. Hackers will be aware of this kind of
default access information. Optionally, the wireless
router can also be configured to not broadcast the
SSID, which adds an additional barrier to
discovering the network. However, this should not
be considered adequate security for a wireless
network. Furthermore, you should encrypt wireless
communication by enabling wireless security and the
WPA2 encryption feature on the wireless router.
Even with WPA2 encryption enabled, the wireless
network can still be vulnerable.
In October 2017, a security flaw in the WPA2
protocol was discovered. This flaw allows an intruder
to break the encryption between the wireless router
and the wireless client, and allow the intruder to
access and manipulate the network traffic. This
vulnerability can be exploited
using Key Reinstallation Attacks (KRACK). It affects
all modern, protected Wi-Fi networks. To mitigate an
attacker, a user should update all affected products:
wireless routers and any wireless capable devices,
such as laptops and mobile devices, as soon as
security updates become available. For laptops or
other devices with wired NIC, a wired connection
could mitigate this vulnerability. Furthermore, you
can also use a trusted VPN service to prevent the
unauthorized access to your data while you are
using the wireless network.
Click here to learn more about KRACK.
When you are away from home, a public Wi-Fi hot
spot allows you to access your online information
and surf the Internet. However, it is best to not
access or send any sensitive personal information
over a public wireless network. Verify whether your
computer is configured with file and media sharing
and that it requires user authentication with
encryption. To prevent someone from intercepting
your information (known as “eavesdropping”) while
using a public wireless network, use encrypted VPN
tunnels and services. The VPN service provides you
secure access to the Internet, with an encrypted
connection between your computer and the VPN
service provider’s VPN server. With an encrypted
VPN tunnel, even if a data transmission is
intercepted, it is not decipherable.
Click here to learn more about protecting yourself
when using wireless networks.
Many mobile devices, such as smartphones and
tablets, come with the Bluetooth wireless protocol.
This capability allows Bluetooth-enabled devices to
connect to each other and share information.
Unfortunately, Bluetooth can be exploited by
hackers to eavesdrop on some devices, establish
remote access controls, distribute malware, and
drain batteries. To avoid these issues, keep
Bluetooth turned off when you are not using it.

Use Unique Passwords for Each Online Account

You probably have more than one online account,

and each account should have a unique password.
That is a lot of passwords to remember. However,
the consequence of not using strong and unique
passwords leaves you and your data vulnerable to
cyber criminals. Using the same password for all
your online accounts is like using the same key for
all your locked doors, if an attacker was to get your
key, he would have the ability to access everything
you own. If criminals get your password through
phishing for example, they will try to get into your
other online accounts. If you only use one password
for all accounts, they can get into all your accounts,
steal or erase all your data, or decide to impersonate
you.
We use so many online accounts that need
passwords that is becomes too much to remember.
One solution to avoid reusing passwords or using
weak passwords is to use a password manager. A
password manager stores and encrypts all of your
different and complex passwords. The manager can
then help you to log into your online accounts
automatically. You only need to remember your
master password to access the password manager
and manage all of your accounts and passwords.
Tips for choosing a good password:
 Do not use dictionary words or names in any
languages
 Do not use common misspellings of dictionary
words
 Do not use computer names or account names
 If possible use special characters, such as ! @ #
$%^&*()
 Use a password with ten or more characters
Use Passphrase Rather Than a Password

To prevent unauthorized physical access to your

computing devices, use passphrases, rather than
passwords. It is easier to create a long passphrase than a
password, because it is generally in the form of a
sentence rather than a word. The longer length makes
passphrases less vulnerable to dictionary or brute force
attacks. Furthermore, a passphrase maybe easier to
remember, especially if you are required to change your
password frequently. Here are some tips in choosing good
passwords or passphrases:
Tips in choosing a good passphrase:
 Choose a meaningful statement to you

 Add special characters, such as ! @ # $ % ^ & * ( )

 The longer the better

 Avoid common or famous statements, for example,

lyrics from a popular song
Recently, United States National Institute for Standards
and Technology (NIST) published improved password
requirements. NIST standards are intended for
government application but can also serve as a standard
for others as well. The new guidelines aim to provide
better user experience and put the burden of user
verification on the providers.
Summary of the new guidelines:
 8 characters minimum in length, but no more than 64
characters
 No common, easily guessed passwords, such as
password, abc123
 No composition rules, such as having to include
lowercase and uppercase letters and numbers
 Improve typing accuracy by allowing the user to see
the password while typing
 All printing characters and spaces are allowed

 No password hints

 No periodical or arbitrary password expiration

 No knowledge-based authentication, such as

information from shared secret questions, marketing
data, transaction history
Click here to learn more about the improved NIST
password requirement.
Even with access to your computers and network devices
secured, it is also important to protect and preserve your
data

could lose your job. In other cases, you could be

prosecuted, fined, and possibly sentenced.
In general, if you are confused about whether an action or
behavior might be illegal, assume that it is illegal and do
not do it. Your company may have a legal department or
someone in the human resources department who can
answer your questions before you do something illegal.
International Law and Cybersecurity
The area of cybersecurity law is much newer than
cybersecurity itself. As mentioned before, most countries
have some laws in place, and there will be more laws to
come.

Legal Issues in Cybersecurity

Cybersecurity professionals must have the same skills as

hackers, especially black hat hackers, in order to protect
against attacks. One difference between a hacker and a
cybersecurity professional is that the cybersecurity
professional must work within legal boundaries.
Personal Legal Issues
You do not even have to be an employee to be subject to
cybersecurity laws. In your private life, you may have the
opportunity and skills to hack another person’s computer
or network. There is an old saying, “Just because you can
does not mean you should.” Keep this in mind. Most
hackers leave tracks, whether they know it or not, and
these tracks can be followed back to the hacker.
Cybersecurity professionals develop many skills which can
be used for good or evil. Those who use their skills within
the legal system, to protect infrastructure, networks, and
privacy are always in high demand.
Corporate Legal Issues
Most countries have some cybersecurity laws in place.
They may have to do with critical infrastructure, networks,
and corporate and individual privacy. Businesses are
required to abide by these laws.
In some cases, if you break cybersecurity laws while doing
your job, it is the company that may be punished and you
could lose your job. In other cases, you could be
prosecuted, fined, and possibly sentenced.
In general, if you are confused about whether an action or
behavior might be illegal, assume that it is illegal and do
not do it. Your company may have a legal department or
someone in the human resources department who can
answer your questions before you do something illegal.
International Law and Cybersecurity
The area of cybersecurity law is much newer than
cybersecurity itself. As mentioned before, most countries
have some laws in place, and there will be more laws to
come
Ethical Issues in Cybersecurity

In addition to working within the confines of the law,

cybersecurity professionals must also demonstrate ethical
behavior.
Personal Ethical Issues
A person may act unethically and not be subject to
prosecution, fines or imprisonment. This is because the
action may not have been technically illegal. But that does
not mean that the behavior is acceptable. Ethical behavior
is fairly easy to ascertain. It is impossible to list all of the
various unethical behaviors that can be exhibited by
someone with cybersecurity skills. Below are just two. Ask
yourself:
 Would I want to discover that someone has hacked
into my computer and altered images in my social
network sites?
 Would I want to discover that an IT technician whom I
trusted to fix my network, told colleagues personal
information about me that was gained while working on
my network?
If your answer to any of these questions was ‘no’, then do
not do such things to others.
Corporate Ethical Issues
Ethics are codes of behavior that are sometimes enforced
by laws. There are many areas in cybersecurity that are
not covered by laws. This means that doing something
that is technically legal still may not be the ethical thing to
do. Because so many areas of cybersecurity are not (or
not yet) covered by laws, many IT professional
organizations have created codes of ethics for persons in
the industry. Below is a list of three organizations with
Codes of Ethics:
 The CyberSecurity Institute (CSI) has published a
code of ethics that you can read here.
 The Information Systems Security Association (ISSA)
has a code of ethics found here.
 The Association of Information Technology
Professionals (AITP) has both a code of ethics and a
standard of conduct found here.
Cisco has a team devoted exclusively to ethical business
conduct. Go here to read more about it. This site contains
an eBook about Cisco’s Code of Business Conduct, and a
pdf file. In both files is an “Ethics Decision Tree”, as shown
in the figure. Even if you do not work for Cisco, the
questions and answers found in this decision tree can
easily be applied to your place of work. As with legal
questions, in general, if you are confused about whether
an action or behavior might be unethical, assume that it is
unethical and do not do it. There may be someone in your
company’s human resources or legal department who can
clarify your situation before you do something that would
be considered unethical.
Search online to find other IT-related organizations with
codes of ethics. Try to find what they all have in common

Cybersecurity Jobs

Many other businesses and industries are hiring

cybersecurity professionals. There are several online
search engines to help you find the right job in
cybersecurity:
 ITJobMatch – The ITJobMatch search engine
specializes in IT jobs of every kind, all over the globe.
 Monster – Monster is a search engine for all types of
jobs. The link provided goes directly to cybersecurity
jobs.
 CareerBuilder – CareerBuilder is also a search engine
for all types of jobs. The link provided goes directly to
cybersecurity jobs.
These are just three of many different online job search
sites. Even if you are just starting your education in IT and
cybersecurity, looking at job search engines is a good way
to see what kinds of jobs are available, all over the world.
Depending on your interest in cybersecurity, different
types of jobs can be available to you, and they can require
specialized skills certifications. For example, a penetration
tester, also known as an ethical hacker, searches and
exploits security vulnerabilities in applications, networks
and systems. To become a penetration tester, you will
need to gain experience in other IT jobs, such as security
administrator, network administrator, and system
administrator. Each one of these jobs requires its own set
of skills that will help you become a valuable asset to an
organization.
Our hope is that this course has peaked your interest in
pursuing an education in IT and cybersecurity and then
continuing on to an exciting career! The Cisco Networking
Academy provides many courses for you to continue your
education in Cybersecurity. We encourage you to enroll in
the next course, Cybersecurity Essentials, to continue to
build strong foundational knowledge in Cybersecurity.
Check out the Cisco Networking Academy and see a list
of courses that are available. Furthermore, you can also
access career resources available in Cisco Networking
Academy.
Just for fun, click here to read a graphic novel about a
cybersecurity superhero!