Cybersecurity Essentials

CYBERSECURITY ESSENTIALS
1. Cybersecurity Threats, Vulnerabilities and Attacks
1.1 Common Threats
1.1.1 Threat Domains

With organizations facing an ever-growing number of cyber threats, it is critical
that they have robust security solutions in place. But in order to protect
themselves, organizations first need to know what vulnerabilities exist within
their threat domains. A ‘threat domain’ is considered to be an area of control,
authority or protection that attackers can exploit to gain access to a system.
There are many ways that attackers can uncover vulnerabilities and exploit systems
within a domain.
Select the image to reveal some examples.

(Attackers can exploit systems within a domain through:
Direct, physical access to systems and networks.
Wireless networking that extends beyond an organization’s boundaries.
Bluetooth or near-field communication (NFC) devices.
Malicious email attachments.
Less secure elements within an organization’s supply chain.
An organization’s social media accounts.
Removable media such as flash drives.
Cloud-based applications.)
Cybersecurity professionals can also use these domains to perform an analysis of an

organization’s current cybersecurity status. In this module, we will look at the
different types of domains that exist within an organization. It is important to
approach cybersecurity risks from a multi-scale, systems perspective, taking into
account the interaction of cyber, physical and human systems.
1.1.2 Types of Cyber Threats

Cyber threats can be classified into different categories. This allows
organizations to assess the likelihood of a threat occurring and understand the
monetary impact of a threat so that they can prioritize their security efforts.
Select the headings for examples of cyber threats in each of these categories.
(Software Attacks: A successful denial-of-service (DoS attack). A computer virus.
Software Errors: A software bug. An application going offline. A cross-site script
or illegal file server share.
Sabotage: A backdoor, or a worm that erases files. An authorized user successfully
penetrating and compromising an organization’s primary database. The defacement of
an organization’s website.
Human Error: nadvertent data entry errors. An employee dropping a laptop computer.
Theft: Laptops or equipment being stolen from an unlocked room.
Hardware Failures: Hard drive crashes. A firewall misconfiguration.
Utility Interruption: Electrical power outages. Water damage resulting from
sprinkler failure.
Natural Disasters: Severe storms such as hurricanes or tornados. Earthquakes.
Floods. Fires.)
1.1.3 Internal vs External Threats

Threats can originate from both within and outside of an organization, with
attackers seeking access to valuable sensitive information such as personnel
records, intellectual property and financial data. Internal threats are usually
carried out by current or former employees and other contract partners who
accidentally or intentionally mishandle confidential data or threaten the
operations of servers or network infrastructure devices by connecting infected
media or by accessing malicious emails or websites. The source of an external
threat typically stems from amateur or or skilled attackers who can exploit
vulnerabilities in networked devices or can use social engineering techniques, such
as trickery, to gain access to an organization’s internal resources.
(Image 1.1.3.a)
Did you know that internal threats have the potential to cause greater damage than
external threats? This is because employees or partners working within an
organization have direct access to its premises and infrastructure devices. They
will also have insider knowledge of the organization’s network, resources and
confidential data, as well as the security countermeasures in place.
1.1.4 Know the Difference
(activity in 6 steps 6/6)
Cyber threats can spread in various ways such as through users themselves, via
devices connected to the network or via services hosted on a public or private
cloud. And don’t forget the threat of a physical attack if the right security
measures are not in place. Let’s take a look at these in more detail.
1.1.5 User Threats and Vulnerabilities

A user domain includes anyone with access to an organization’s information system,
including employees, customers and contract partners. Users are often considered to
be the weakest link in information security systems, posing a significant threat to
the confidentiality, integrity and availability of an organization’s data.
Select the headings to reveal more information about the most common user threats
found in many organizations.
(No Awareness of Security: Users must be aware of and understand an organization’s
sensitive data, security policies and procedures, technologies and countermeasures
that are implemented in order to protect information and information systems.
Poorly Enforced Security Policies: All users must be aware of and understand an
organization’s security policies, as well as the consequences of non-compliance.
Data Theft: Data stolen by users can pose a significant financial threat to
organizations, both in terms of the resulting damage to their reputation and/or the
legal liability associated with the disclosure of sensitive information.
Unauthorized Downloads and Media: Many network and device infections and attacks
can be traced back to users who have downloaded unauthorized emails, photos, music,
games, apps and videos to their computers, networks or storage devices, or used
unauthorized media such as external hard disks and USB drives.
Unauthorized Virtual Private Networks VPNs: VPNs can hide the theft of unauthorized
information because the encryption normally used to protect confidentiality can
stop a network administrator from tracking data transmission (unless they have
permission to do so).
Unauthorized Websites: Accessing unauthorized websites can pose a risk to a user’s
data and devices, as well as the organization itself. Often, these websites prompt
users to download scripts or plugins that contain malicious code or adware. Some of
these sites can even take over user devices like cameras and applications.
Destruction of Systems, Applications and Data: The accidental or deliberate
destruction or sabotage of systems, applications and data poses a serious risk to
all organizations. Activists, disgruntled employees or industry competitors attempt
to delete data and destroy or misconfigure devices, to make organizational data and
information systems unavailable.)
Always keep in mind that there are no technical solutions, controls or
countermeasures that will make information systems any more secure than the
behaviors and processes of the people who use these systems.
1.1.6 Threats to Devices
* Any devices left powered on and unattended pose the risk of someone gaining
unauthorized access to network resources.
Downloading files, photos, music or videos from unreliable sources could lead to
the execution of malicious code on devices.
* Cybercriminals often exploit security vulnerabilities within software installed
on an organization’s devices to launch an attack.
* An organization’s information security teams must try to keep up to date with the
daily discovery of new viruses, worms and other malware that pose a threat to their
devices.
* Users who insert unauthorized USB drives, CDs or DVDs run the risk of introducing
malware, or compromising data stored on their device.
* Policies are in place to protect an organization’s IT infrastructure. A user can
face serious consequences for purposefully violating such policies.
* Using outdated hardware or software makes an organization’s systems and data more
vulnerable to attack.
1.1.7 Threats to the Local Area Network

This component is a flipcard comprised of flippable cards containing display image.
Select the front face image to flip to the back face of these card to display
associated text. The local area network (LAN) is a collection of devices, typically
in the same geographic area, connected by cables (wired) or airwaves (wireless).
Because users can access an organization’s systems, applications and data from the
LAN domain, it is critical that it has strong security and stringent access
controls.
Select the image to reveal some common threats posed to the LAN.
(Examples of threats to the LAN include:
Unauthorized access to wiring closets, data centers and computer rooms.
Unauthorized access to systems, applications and data.
Network operating system or software vulnerabilities and updates.
Rogue users gaining unauthorized access to wireless networks.
Exploits of data in transit.
Having LAN servers with different hardware or operating systems makes managing and
troubleshooting them more difficult.
Unauthorized network probing and port scanning.
Misconfigured firewalls.)
1.1.8 Threats to the Private Cloud

The private cloud domain includes any private servers, resources and IT
infrastructure available to members of a single organization via the Internet.
While many organizations feel that their data is safer in a private cloud, this
domain still poses significant security threats, including:
Unauthorized network probing and port scanning.
Unauthorized access to resources.
Router, firewall or network device operating system or software vulnerabilities.
Router, firewall or network device configuration errors.
Remote users accessing an organization’s infrastructure and downloading sensitive
data.
1.1.9 Threats to the Public Cloud

Slide show. Select the next button to progress.
Where a private cloud domain hosts computing resources for a single organization,
the public cloud domain is the entirety of computing services hosted by a cloud,
service or Internet provider that are available to the public and shared across
organizations. There are three models of public cloud services that organizations
may choose to use.
Select the arrows to find out more about these.
(Software as a Service (SaaS): This is a subscription-based model that provides
organizations with software that is centrally hosted and accessed by users via a
web browser, app or other software. In other words, this is software not stored
locally but in the cloud.
Platform as a Service (PaaS): This subscription-based model provides a platform
that allows an organization to develop, run and manage its applications on the
service’s hardware, using tools that the service provides. This platform is
accessed via the public cloud.
Infrastructure as a Service (IaaS): This subscription-based model provides virtual
computing resources such as hardware, software, servers, storage and other
infrastructure components over the Internet. An organization will buy access to
them and use them via the public cloud.)
While public cloud service providers do implement security controls to protect the
cloud environment, organizations are responsible for protecting their own resources
on the cloud. Therefore, some of the most common threats to the public cloud domain
include:
- Data breaches.
- Loss or theft of intellectual property.
- Compromised credentials or account hijacking.
- Social engineering attacks.
- Compliance violation.
1.1.10 What Do You Think?

Physical threats are often overlooked when considering cybersecurity, but physical
security is in fact critical when we want to prevent an organization from falling
victim to cybercrime. With this in mind, take a few moments to think about
potential physical threats to @Apollo’s offices. Write a few examples in the box
below, then select Submit. Then select Show answer to reveal some common examples
of threats to an organization's physical facilities domain and compare your
response.
(500 characters remaining - answer done).
1.1.11 Threats to Applications

The application domain includes all of the critical systems, applications and data
used by an organization to support operations. Increasingly, organizations are
moving applications such as email, security monitoring and database management to
the public cloud. Common threats to applications include:
* Someone gaining unauthorized access to data centers, computer rooms, wiring
closets or systems.
* Server downtime during maintenance periods.
* Network operating system software vulnerabilities.
* Data loss.
* Client-server or web application development vulnerabilities.
1.1.12 Domain Checker

All of this has you thinking… You know that attackers will seek to take advantage
of any vulnerabilities that exist in @Apollo’s domains, but first you need to
identify what those domains are. Can you complete the sentences below by selecting
the correct term from each of the dropdowns? When you have made all of your
choices, select Submit.
Employees (User domain) gain access to the @Apollo offices with an electronic staff
ID card (Physical facilities domain). They use a desktop, laptop, tablet or
smartphone (Device domain) to log into @Apollo’s network (LAN domain). @Apollo
offers customers access to a suite of centrally hosted eLearning modules for a
subscription fee. It is a (SaaS) provider, operating on a (Public) cloud domain.
That’s right! You have correctly identified the range of domains in play at
@Apollo.
@Apollo employees have access to the organization’s information system and form
part of the user domain.
They can enter any of the @Apollo offices using electronic staff ID cards. These
are used to safeguard the organization’s premises and therefore fall into the
physical facilities domain.
Any desktop computer, laptop, tablet or smartphone used to access @Apollo’s network
is part of the device domain.
@Apollo’s internal network, which is made up of a collection of these and other
devices, forms the LAN domain.
@Apollo happens to be a SaaS provider, offering customers access to a suite of
centrally hosted eLearning modules for a subscription fee.
So, @Apollo operates on the public cloud domain.
Otherwise: That’s not right. Let’s recap.

A user domain includes anyone with access to an organization’s information system —
all employees, customers and contract partners.
A device domain refers to any computers and other devices connected to a computer
network.
The physical facilities domain includes all the premises used by an organization,
as well as the physical security measures employed to safeguard an organization’s
premises.
A LAN domain is a collection of devices connected locally by cables or airwaves.
A private cloud domain includes any private servers, resources and IT
infrastructure available only to members of a single organization via the Internet,
whereas the public cloud domain includes all computing services hosted by a cloud,
service or Internet provider that are available to the public and shared across
organizations. There are three different cloud service models:
SaaS provides organizations with software that is centrally hosted and accessed by
users via the Internet.
PaaS provides a platform that allows an organization to develop, run and manage its
application on the service’s hardware, using tools that the service provides, all
accessible via the Internet.
IaaS provides virtual computing resources such as hardware, software, servers,
storage and other infrastructure components accessible over the Internet.
1.1.13 Threat Complexity

Software vulnerabilities occur as a result of programming mistakes, protocol
vulnerabilities or system misconfigurations. Cybercriminals seek to take advantage
of such vulnerabilities and are becoming increasingly sophisticated in their attack
methods.
An advanced persistent threat (APT) is a continuous attack that uses elaborate

espionage tactics involving multiple actors and/or sophisticated malware to gain
access to and analyze a target’s network.
Attackers operate under the radar and remain undetected for a long period of time,
with potentially devastating consequences. APTs typically target governments and
high-level organizations and are usually well-orchestrated and well-funded.
As the name suggests, algorithm attacks take advantage of algorithms in a piece of

legitimate software to generate unintended behaviors. For example, algorithms used
to track and report how much energy a computer consumes can be used to select
targets or trigger false alerts. They can also disable a computer by forcing it to
use up all its RAM or by overworking its central processing unit (CPU).
1.1.14 Backdoors and Rootkits

Cybercriminals also use many different types of malicious software (known as
malware) to carry out their attacks.
Select the images to find out more about some common types.
Backdoors: Backdoor programs, such as Netbus and Back Orifice, are used by
cybercriminals to gain unauthorized access to a system by bypassing the normal
authentication procedures. Cybercriminals typically have authorized users
unknowingly run a remote access Trojan horse program (RAT) on their machine to
install a backdoor that gives the criminal administrative control over a target
computer. Backdoors grant cybercriminals continued access to a system, even if the
organization has fixed the original vulnerability used to attack the system.
Rootkits: This malware is designed to modify the operating system to create a

backdoor, which attackers can then use to access the computer remotely. Most
rootkits take advantage of software vulnerabilities to gain access to resources
that normally shouldn’t be accessible (privilege escalation) and modify system
files. Rootkits can also modify system forensics and monitoring tools, making them
very hard to detect. In most cases, a computer infected by a rootkit has to be
wiped and any required software reinstalled.
Many organizations rely on threat intelligence data to help them understand their
overall risk, so that they can formulate and put in place effective preventative
and response measures. Some of this data is closed source and requires a paid
subscription for access. Other data is considered open source intelligence (OSINT)
and can be accessed from publicly available information sources. In fact, sharing
threat intelligence data is becoming more popular, with governments, universities,
healthcare sector organizations and private businesses working together to improve
everyone’s security.
1.1.15 Threat Intelligence and Research Sources

The United States Computer Emergency Readiness Team (US-CERT) and the U.S.
Department of Homeland Security sponsor a dictionary of common vulnerabilities and
exposures (CVE). Each CVE entry contains a standard identifier number, a brief
description of the security vulnerability and any important references to related
vulnerability reports. The CVE list is maintained by a not-for-profit, the MITRE
Corporation, on its public website.
Select the arrows to find out more about some other threat intelligence sources.
(The dark web: This refers to encrypted web content that is not indexed by
conventional search engines and requires specific software, authorization or
configurations to access. Expert researchers monitor the dark web for new threat
intelligence.
Indicator of compromise (IOC): IOCs such as malware signatures or domain names
provide evidence of security breaches and details about them.
Automated Indicator Sharing (AIS): Automated Indicator Sharing (AIS), a
Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the
real-time exchange of cybersecurity threat indicators using a standardized and
structured language called Structured Threat Information Expression (STIX) and
Trusted Automated Exchange of Intelligence Information (TAXII).)
1.1.16 Install a Virtual Machine on a Personal Computer

Cybersecurity analysts use many tools while threat hunting and conducting
cybersecurity research. The virtual machine used in this activity has been prebuilt
with some of these tools, so that you can easily get to work. In this Lab, you will
learn how to set up a virtual machine on a computer so that it is ready to use with
the other Lab activities in this course.
Press the play button to view this short demo video. (Video)
Now, get a real-world, hands-on experience by following the instructions and
practicing this activity on your own laptop or desktop computer. Download the CSE-
LABVM Virtual Machine OVA file and follow the 1.1.16 Lab - Install a Virtual
Machine on a Personal Computer - Answer Key.pdf to prepare your computer for the
upcoming Labs in this course.
1.1.17 Explore Social Engineering Techniques

In this Lab, you will: Explore social engineering techniques. Create a
cybersecurity awareness poster.
practicing this activity on your own laptop or desktop computer. Download the
1.1.17 Lab - Explore Social Engineering Techniques - Answer Key.pdf for
instructions.
Next Up... Once a cybercriminal understands the vulnerabilities of a device, system

or network, they will go to great lengths to deceive potential victims and gain
access to sensitive information.
1.2 Deception
1.2.1 Social Engineering

Social engineering is a non-technical strategy that attempts to manipulate
individuals into performing certain actions or divulging confidential information.
Rather than software or hardware vulnerabilities, social engineering exploits human
nature, taking advantage of people’s willingness to help or preying on their
weaknesses, such as greed or vanity.
Select the arrows to find out more about some common types of social engineering
attacks.
(Pretexting: This type of attack occurs when an individual lies to gain access to
privileged data. For example, an attacker pretends to need personal or financial
data in order to confirm a person’s identity.
Something for something (quid pro quo): Quid pro quo attacks involve a request for
personal information in exchange for something, like a gift. For example, a
malicious email could ask you to give your sensitive personal details in exchange
for a free vacation.
Identity fraud: This is the use of a person’s stolen identity to obtain goods or
services by deception. For example, someone has acquired your data and is
attempting to issue a credit card in your name.)
1.2.2 Social Engineering Tactics

Cybercriminals rely on several social engineering tactics to gain access to
sensitive information.
Select the headings to find out what these are.

(Authority: Attackers prey on the fact that people are more likely to comply when
instructed by someone they perceive as an authority figure. For example, an
executive opens what looks like an official subpoena attachment but is actually an
infected PDF.
Intimidation: Cybercriminals will often bully a victim into taking an action that
compromises security. For example, a secretary receives a call that their boss is
about to give an important presentation but the files are corrupt. The criminal on
the phone claims it’s the secretary’s fault and pressures the secretary to send
across the files immediately or risk dismissal.
Consensus: Often called ‘social proof,’ consensus attacks work because people tend
to act in the same way as other people around them, thinking that something must be
right if others are doing it. For example, cybercriminals may publish a social
media post about a ‘business opportunity’ and get dozens of legitimate or
illegitimate accounts to comment on its validity underneath, which encourages
unsuspecting victims to make a purchase.
Scarcity: A well known marketing tactic, scarcity attacks work because attackers
know that people tend to act when they think there is a limited quantity of
something available. For example, someone receives an email about a luxury item
being sold for very little money, but it states that there are only a handful
available at this price, in an effort to spur the unsuspecting victim into taking
action.
Urgency: Similarly, people also tend to act when they think there is a limited time
to do so. For example, cybercriminals promote a fake time-limited shipping offer to
try and prompt victims to take action quickly.
Familiarity: People are more likely to do what another person asks if they like
this person. Therefore, attackers will often try to build a rapport with their
victim in order to establish a relationship. In other cases, they may clone the
social media profile of a friend of yours, in order to get you to think you are
speaking to them.
Trust: Building trust in a relationship with a victim may require more time to
establish. For example, a cybercriminal disguised as a security expert calls the
unsuspecting victim to offer advice. When helping the victim, the ‘security expert’
discovers a ‘serious error’ that needs immediate attention. The solution provides
the cybercriminal with the opportunity to violate the victim’s security.)
Remember that cybercriminals’ repertory is vast and ever-evolving. Sometimes, they

might combine two or more of the above tactics to increase their chances. It is up
to cybersecurity professionals to raise awareness and educate other people in an
organization about these tactics, to prevent them from falling victim to such
attacks.
1.2.3 Watch Out!

You are investigating a suspicious email that has been sent to @Apollo’s remote
workers today. It looks like the email has been sent by Guru, asking employees to
click on a link to download a virtual private network that will secure their Wi-Fi
connection while working at home. Although the email looks legitimate, clicking on
the link installs malware on the employee’s device. What type of social engineering
attack is being used here?
Select the correct answer, then Submit.

(Pretexting: That’s right!
The attacker in this case has attempted to gain access to employee devices by
impersonating Guru — a trustworthy person known to @Apollo’s employees — and by
sending a legitimate-looking email with a believable pretext.
Otherwise: That’s not right. Let’s recap.

Pretexting occurs when an individual lies to gain access to privileged data.
Quid pro quo describes an attack that involves a request for information in
exchange for something, like a gift.
Identity fraud uses a person’s stolen identity to obtain data, goods or services by
deception.
Go back, reset and try again.)
Most cyber attacks involve some form of deception. Let’s take a look at some of
these.
1.2.4 Shoulder Surfing and Dumpster Diving

Shoulder surfing is a simple attack that involves observing or literally looking
over a target’s shoulder to gain valuable information such as PINs, access codes or
credit card details. Criminals do not always have to be near their victim to
shoulder surf — they can use binoculars or security cameras to obtain this
information. This is one reason why an ATM screen can only be viewed at certain
angles. These types of safeguards make shoulder surfing much more difficult.
You may have heard of the phrase, ‘one man's trash is another man's treasure.’
Nowhere is this more true than in the world of dumpster diving — the process of
going through a target's trash to see what information has been thrown out. This is
why documents containing sensitive information should be shredded or stored in burn
bags until they are destroyed by fire after a certain period of time.
1.2.5 Impersonation and Hoaxes

Cybercriminals have many other deception techniques to help them succeed.
Select the images to find out more.

(Impersonation: Impersonation is the act of tricking someone into doing something
they would not ordinarily do by pretending to be someone else. For example, a
cybercriminal posing as an IRS employee recently targeted taxpayers, telling the
victims that they owed money that had to be paid immediately via wire transfer — or
risk arrest. Criminals can also use impersonation to attack others. For example,
they can pose as their victim online and post on websites or social media pages to
undermine the victim’s credibility.
Hoaxes: A hoax is an act intended to deceive or trick someone, and can cause just
as much disruption as an actual security breach. For example, a message that warns
of a (non-existent) virus threat on a device and asks the recipient to share this
information with everyone they know. This hoax elicits a user reaction, creating
unnecessary fear and irrational behavior that is perpetuated through email and
social media.)
1.2.6 Piggybacking and Tailgating

Piggybacking or tailgating occurs when a criminal follows an authorized person to
gain physical entry into a secure location or a restricted area. Criminals can
achieve this by: Giving the appearance of being escorted into the facility by an
authorized person. Joining and pretending to be part of a large crowd that enters
the facility.Targeting an authorized person who is careless about the rules of the
facility. One way of preventing this is to use two sets of doors. This is sometimes
referred to as a mantrap and means individuals enter through an outer door, which
must close before they can gain access through an inner door.
1.2.7 Other Methods of Deception

Be aware that attackers have many more tricks up their sleeve to deceive their
victims.
Select the headings to find out more about some of these methods.
(Invoice Scam: Fake invoices are sent with the goal of receiving money from a
victim by prompting them to put their credentials into a fake login screen. The
fake invoice may also include urgent or threatening language.
Watering Hole Attack: A watering hole attack describes an exploit in which an
attacker observes or guesses what websites an organization uses most often, and
infects one or more of them with malware.
Typosquatting: This type of attack relies on common mistakes such as typos made by
individuals when inputting a website address into their browser. The incorrect URL
will bring the individuals to a legitimate-looking website owned by the attacker,
whose goal is to gather their personal or financial information.
Prepending: Attackers can remove the ‘external’ email tag used by organizations to
warn the recipient that an email has originated from an external source. This
tricks individuals into believing that a malicious email was sent from inside their
organization.
Influence Campaigns: Often used in cyberwarfare, influence campaigns are usually
very well coordinated and blend various methods such as fake news, disinformation
campaigns and social media posts.)
1.2.8 Spot the Attack

There have been a few unusual incidents at @Apollo recently that have sparked some
concerns that the organization is being targeted by cybercriminals. Can you
identify what type of attack these incidents may be describing?
Select an option from each of the dropdowns, then Submit.

(A friend sends you a text message to congratulate you on your new position at
@Apollo after they saw your status update on your social profile. You have not
updated this information. -Impersonation-
A colleague tells you that a man asked them to hold the front door on the way into
the office this morning, because he had forgotten his ID card. Your colleague had
never seen this man before. -Tailgating-
A customer has reported that malware infected her computer after she visited
@Apollo’s website. Further investigation revealed that the customer accidentally
mistyped the website address. -Typosquatting-
That’s right! Cybercriminals often impersonate other people and post on their
social media pages to gain access to the personal information of said people or
others, or undermine their credibility. Cybercriminals can tailgate into an
organization by targeting an authorized person who is careless about the rules of
entry. Cybercriminals can also target individuals who incorrectly enter a website
address into their browser. This typosquatting attack aims to make people think
they are visiting a legitimate website, though it is in fact malicious, tricking
them into giving away personal or financial information. It looks as if @Apollo
could be under cyber attack so stay alert!)
1.2.9 Defending Against Deception

Organizations need to promote awareness of social engineering tactics and properly
educate employees on prevention measures. Here are some top tips.
- Never disclose confidential information or credentials via email, chat, text
messages, in person or over the phone to unknown parties.
- Resist the urge to click on enticing emails and web links.
- Be wary of uninitiated or automatic downloads.
- Establish and educate employees on key security policies.
- Encourage employees to take ownership of security issues.
- Do not give in to pressure by unknown individuals.
1.2.10 Use a Port Scanner to Detect Open Ports

In this Lab, you will use Nmap, a port scanner and network mapping tool, to detect
open ports.
Press the play button to view this short demo video. (Video).
1.2.10 Lab - Use a Port Scanner to Detect Open Ports - Answer Key.pdf for
instructions.
1.3 Cyber Attacks
1.3.1 What's the Difference?

Cybercriminals use many different types of malicious software, or malware, to carry
out attacks. Malware is any code that can be used to steal data, bypass access
controls or cause harm to or compromise a system.
Select the pin icons to find out more about three of the most common types of
malware.
(Viruses: A virus is a type of computer program that, when executed, replicates and
attaches itself to other files, such as a legitimate program, by inserting its own
code into it. Some viruses are harmless yet others can be destructive, such as
those that modify or delete data. Most viruses require end-user interaction to
initiate activation, and can be written to act on a specific date or time. Viruses
can be spread through removable media such as USB flash drives, Internet downloads
and email attachments. The simple act of opening a file or executing a specific
program can trigger a virus. Once a virus is active, it will usually infect other
programs on the computer or other computers on the network. Viruses mutate to avoid
detection. For example, the Melissa virus was released in 1999 and spread via
email, affecting tens of thousands of users and causing an estimated $1.2 billion
in damage.
Worms: A worm is a malicious software program that replicates by independently

exploiting vulnerabilities in networks. Unlike a virus, which requires a host
program to run, worms can run by themselves. Other than the initial infection of
the host, they do not require user participation and can spread very quickly over
the network, usually slowing it down. Worms share similar patterns: they exploit
system vulnerabilities, they have a way to propagate themselves and they all
contain malicious code (payload) to cause damage to computer systems or networks.
Worms are responsible for some of the most devastating attacks on the Internet. In
2001, the Code Red worm had infected over 300,000 servers in just 19 hours.
Trojan horse: A Trojan horse is malware that carries out malicious operations by
masking its true intent. It might appear legitimate but is, in fact, very
dangerous. Trojans exploit the privileges of the user who runs them. Unlike
viruses, Trojans do not self-replicate but often bind themselves to non-executable
files, such as image, audio or video files, acting as a decoy to harm the systems
of unsuspecting users.)
1.3.2 Logic Bombs:

A logic bomb is a malicious program that waits for a trigger, such as a specified
date or database entry, to set off the malicious code. Until this trigger event
happens, the logic bomb will remain inactive. Once activated, a logic bomb
implements a malicious code that causes harm to a computer in various ways. It can
sabotage database records, erase files and attack operating systems or
applications. Cybersecurity specialists have recently discovered logic bombs that
attack and destroy the hardware components in a device or server, including the
cooling fans, central processing unit (CPU), memory, hard drives and power
supplies. The logic bomb overdrives these components until they overheat or fail.
1.3.3 Ransomware:
This malware is designed to hold a computer system or the data it contains captive
until a payment is made. Ransomware usually works by encrypting your data so that
you cannot access it. According to ransomware claims, once the ransom is paid via
an untraceable payment system, the cybercriminal will supply a program that
decrypts the files or send an unlock code — but in reality, many victims do not
gain access to their data even after they have paid. Some versions of ransomware
can take advantage of specific system vulnerabilities to lock it down. Ransomware
is often spread through phishing emails that encourage you to download a malicious
attachment, or through a software vulnerability.
1.3.4 Denial of Service Attacks:

associated text. Denial of service (DoS) attacks are a type of network attack that
is relatively simple to conduct, even for an unskilled attacker. They are a major
risk as they usually result in some sort of interruption to network services,
causing a significant loss of time and money. Even operational technologies,
hardware or software that controls physical devices or processes in buildings,
factories or utility providers, are vulnerable to DoS attacks, which can cause a
shutdown, in extreme circumstances. Select the images to find out more about the
two main types of DoS attacks. Overwhelming quantity of traffic: This is when a
network, host or application is sent an enormous amount of data at a rate which it
cannot handle. This causes a slowdown in transmission or response, or the device or
service to crash.
Maliciously formatted packets: A packet is a collection of data that flows between

a source and a receiver computer or application over a network, such as the
Internet. When a maliciously formatted packet is sent, the receiver will be unable
to handle it. For example, if an attacker forwards packets containing errors or
improperly formatted packets that cannot be identified by an application, this will
cause the receiving device to run very slowly or crash.
Distributed denial of service (DDoS) attacks are similar but originate from
multiple coordinated sources. Here is how this happens:
1) An attacker builds a network (botnet) of infected hosts called zombies, which
are controlled by handler systems.
2) The zombie computers constantly scan and infect more hosts, creating more and
more zombies.
3) When ready, the hacker will instruct the handler systems to make the botnet of
zombies carry out a DDoS attack.
1.3.5 Domain Name System:

There are many essential technical services needed for a network to operate — such
as routing, addressing and domain naming. These are prime targets for attack.
Select the headings to find out how cybercriminals can take advantage of
vulnerabilities in these services.
(Domain: The Domain Name System (DNS) is used by DNS servers to translate a domain
name, such as www.cisco.com, into a numerical IP address so that computers can
understand it. If a DNS server does not know an IP address, it will ask another DNS
server. An organization needs to monitor its domain reputation, including its IP
address, to help protect against malicious external domains.
DNS spoofing: DNS spoofing or DNS cache poisoning is an attack in which false data
is introduced into a DNS resolver cache — the temporary database on a computer’s
operating system that records recent visits to websites and other Internet domains.
These poison attacks exploit a weakness in the DNS software that causes the DNS
servers to redirect traffic for a specific domain to the attacker’s computer.
Domain hijacking: When an attacker wrongfully gains control of a target’s DNS

information, they can make unauthorized changes to it. This is known as domain
hijacking. The most common way of hijacking a domain name is to change the
administrator’s contact email address through social engineering or by hacking into
the administrator's email account. The administrator’s email address can be easily
found via the WHOIS record for the domain, which is of public record.
Uniform Source Location (URL): A uniform resource locator (URL) is a unique

identifier for finding a specific resource on the Internet. Redirecting a URL
commonly happens for legitimate purposes. For example, you have logged into an
eLearning portal to begin this Cybersecurity Essentials course. If you log out of
the portal and return to it another time, the portal will redirect you back to the
login page. It is this type of functionality that attackers can exploit. Instead of
taking you to the eLearning login page, they can redirect you to a malicious site.)
1.3.6 Build a Home Network:

In this Packet Tracer activity, you will learn how to:
Connect and configure devices. Use network services. Use packet tracing to
visualize network communication. Press the play button to view this short demo
video.
Now, get a real-world, hands on experience by downloading the Packet Tracer file on
your own laptop or desktop computer and following the instructions. Download the
1.3.6 Packet Tracer - Build a Home Network.pka file and the 1.3.6 Packet Tracer -
Build a Home Network - Answer Key.pdf for instructions. If you do not have Cisco
Packet Tracer installed on your computer, please click here to download and install
it. Please be aware, depending on your computer, for Packet Tracer it might take up
to a minute to load the topology from the PKA file.
1.3.7 Layer 2 Attacks:

Layer 2 refers to the data link layer in the Open Systems Interconnection (OSI)
data communication model. This layer is used to move data across a linked physical
network. IP addresses are mapped to each physical device address (also known as
media access control (MAC) address) on the network, using a procedure called
address resolution protocol (ARP). In its simplest terms, the MAC address
identifies the intended receiver of an IP address sent over the network, and ARP
resolves IP addresses to MAC addresses for transmitting data. Attackers often take
advantage of vulnerabilities in this layer 2 security. Scroll down to discover some
examples.
(Spoofing: Spoofing, or poisoning, is a type of impersonation attack that takes

advantage of a trusted relationship between two systems. MAC address spoofing
occurs when an attacker disguises their device as a valid one on the network and
can therefore bypass the authentication process. ARP spoofing sends spoofed ARP
messages across a LAN. This links an attacker’s MAC address to the IP address of an
authorized device on the network. IP spoofing sends IP packets from a spoofed
source address in order to disguise it.
MAC Flooding: Devices on a network are connected via a network switch by using
packet switching to receive and forward data to the destination device. MAC
flooding compromises the data transmitted to a device. An attacker floods the
network with fake MAC addresses, compromising the security of the network switch.)
1.3.8 Spot the Attack:

Multiple choice question
Several employees at @Apollo have reported performance issues on their computers,
with applications running slow and notable popup ads appearing. Guru has asked you
to investigate. You consult a network monitoring tool, which also reveals abnormal
traffic on the network. Based on your findings, what type of attack do you think
@Apollo might be involved with?

That’s right! It turns out that an attacker was in the process of creating a botnet
of zombies at @Apollo. A DDoS attack uses a botnet consisting of several ‘zombie’
agents to overwhelm a target. In this case, @Apollo’s workstations were being
turned into zombies to carry out such an attack. Signs that you have been infected
by a botnet include performance issues, programs and applications not working
properly and/or advertisements popping up on screen. It was only a matter of time
before the attacker would have instructed the handler systems to take part in a
DDoS attack. Good work!
1.3.9 Man-in-the-Middle and Man-in-the-Mobile Attacks:

Attackers can intercept or modify communications between two devices to steal
information from or to impersonate one of the devices.
Select the images to find out more about these types of attacks.
(Man-in-the-Middle (MitM): A MitM attack happens when a cybercriminal takes control
of a device without the user’s knowledge. With this level of access, an attacker
can intercept, manipulate and relay false information between the sender and the
intended destination.
Man-in-the-Mobile (MitMo): A variation of man-in-the-middle, MitMo is a type of

attack used to take control over a user’s mobile device. When infected, the mobile
device is instructed to exfiltrate user-sensitive information and send it to the
attackers. ZeuS is one example of a malware package with MitMo capabilities. It
allows attackers to quietly capture two-step verification SMS messages sent to
users.)
A replay attack occurs when an attacker captures communication between two hosts
and then retransmits the message to the recipient, to trick the recipient into
doing what the attacker wants, thus circumventing any authentication mechanisms.
1.3.10 Zero-Day Attacks:

A zero-day attack or zero-day threat exploits software vulnerabilities before they
become known or before they are disclosed by the software vendor. A network is
extremely vulnerable to attack between the time an exploit is discovered (zero
hour) and the time it takes for the software vendor to develop and release a patch
that fixes this exploit. Defending against such fast-moving attacks requires
network security professionals to adopt a more sophisticated and holistic view of
any network architecture.
1.3.11 Keyboard Logging:

As the name suggests, keyboard logging or keylogging refers to recording or logging
every key struck on a computer’s keyboard. Cybercriminals log keystrokes via
software installed on a computer system or through hardware devices that are
physically attached to a computer, and configure the keylogger software to send the
log file to the criminal. Because it has recorded all keystrokes, this log file can
reveal usernames, passwords, websites visited and other sensitive information. Many
anti-spyware suites can detect and remove unauthorized key loggers.
It is important to note that keylogging software can be legitimate. Many parents

use it to keep an eye on their children’s Internet behavior.
1.3.12 Confirm Your Details:

You have just received an email from @Apollo’s HR department asking you to add your
bank account details to your file by clicking on a link in the email. It stresses
that this must be completed by the end of the day for you to be included in this
month’s payroll. Although the email looks like it has been sent internally, closer
inspection reveals a slight variation in the email domain of the sender’s address.
You could be a victim of what type of attack?
Select the correct answer, then Submit. (Impersonation)

That’s right! It looks like you could be a victim of an impersonation attack. In
this case, the criminal has used a spoofed email to try and trick you into
disclosing your personal information. Spoofed emails might look like the real thing
but clicking on links could download viruses on your device or redirect you to
malicious websites that prompt you to enter your personal information. Always keep
an eye out for the signs to make sure that you don’t get spoofed, paying particular
attention to: The sender's email domain, the URL of the link, the language,
spelling and grammar, the graphics.
1.3.13 Defending Against Attacks:

Organizations can take several steps to defend against various attacks. These
include the following:
Configure firewalls to remove any packets from outside the network that have
addresses indicating that they originated from inside the network. Ensure patches
and upgrades are current. Distribute the workload across server systems. Network
devices use Internet Control Message Protocol (ICMP) packets to send error and
control messages, such as whether or not a device can communicate with another on
the network. To prevent DoS and DDoS attacks, organizations can block external ICMP
packets with their firewalls.
1.3.14 Investigate a Threat Landscape:

This is a media player component. Select the play / pause button to watch or
listen.
In this Packet Tracer activity, you will learn how to:
Investigate a network configuration vulnerability.
Investigate a phishing malware vulnerability.
Investigate a wireless network and DNS vulnerability.
Press the play button to view this short demo video.
Now, get a real-world, hands on experience by following the instructions and

1.3.14 Packet Tracer - Investigate a Threat Landscape.pka file and the 1.3.14
Packet Tracer - Investigate a Threat Landscape - Answer Key.pdf for instructions.
1.4 Wireless and Mobile Device Attacks
The widespread use of the Internet and mobile devices means that now, more than
ever before, we can communicate and work on the go, without the need for cables and
wires! But this also breeds more opportunity for cybercriminals to access the
sensitive information they are after. Scroll down to find out more about how they
do this.
1.4.1 Grayware and SMiShing:

Grayware is any unwanted application that behaves in an annoying or undesirable
manner. And while grayware may not carry any recognizable malware, it may still
pose a risk to the user by, for example, tracking your location or delivering
unwanted advertising. Authors of grayware typically maintain legitimacy by
including these ‘gray’ capabilities in the small print of the software license
agreement. This factor poses a growing threat to mobile security in particular, as
many smartphone users install mobile apps without really considering this small
print. Short message service phishing or SMiShing is another tactic used by
attackers to trick you. Fake text messages prompt you to visit a malicious website
or call a fraudulent phone number, which may result in malware being downloaded
onto your device or personal information being shared.
1.4.2 Rogue Access Points:

A rogue access point is a wireless access point installed on a secure network
without explicit authorization. Although it could potentially be set up by a well-
intentioned employee looking for a better wireless connection, it also presents an
opportunity for attackers looking to gain access to an organization’s network.
Select the arrows to find out how.

(An attacker will often use social engineering tactics to gain physical access to
an organization’s network infrastructure and install the rogue access point.
Also known as a criminal’s access point, the access point can be set up as a MitM
device to capture your login information. This works by disconnecting the rogue
access point, which triggers the network to send a deauthentication frame to
disassociate the access point. This process is then exploited by spoofing your MAC
address and sending a deauthentication data transmission to the wireless access
point.
An evil twin attack describes a situation where the attacker’s access point is set
up to look like a better connection option. Once you connect to the evil access
point, the attacker can analyze your network traffic and execute MitM attacks.)
1.4.3 Radio Frequency Jamming:

Wireless signals are susceptible to electromagnetic interference (EMI), radio
frequency interference (RFI) and even lightning strikes or noise from fluorescent
lights. Attackers can take advantage of this fact by deliberately jamming the
transmission of a radio or satellite station to prevent a wireless signal from
reaching the receiving station. In order to successfully jam the signal, the
frequency, modulation and power of the RF jammer needs to be equal to that of the
device that the attacker is seeking to disrupt.
You have probably heard of Bluetooth but do you know exactly what it is and how it
works? Bluetooth is a short-range, low-power protocol that transmits data in a
personal area network (PAN) and uses pairing to establish a relationship between
devices such as mobiles, laptops and printers. Cybercriminals have discovered ways
to exploit the vulnerabilities between these connections. Scroll down to find out
more.
1.4.4 Bluejacking and Bluesnarfing

Due to the limited range of Bluetooth, an attacker must be within range of their
target. Here are some ways that they can exploit a target’s device without their
knowledge.
Select the images to find out how.

(Bluejacking uses wireless Bluetooth technology to send unauthorized messages or
shocking images to another Bluetooth device.
Bluesnarfing occurs when an attacker copies information, such as emails and contact
lists, from a target’s device using a Bluetooth connection.)
1.4.5 Attacks Against Wi-Fi Protocols:

Wired equivalent privacy (WEP) and Wi-Fi protected access (WPA) are security
protocols that were designed to secure wireless networks that are vulnerable to
attacks. WEP was developed to provide data transmitted over a wireless local area
network (WLAN) with a level of protection comparable to what is usually expected of
a traditional wired network. It added security to wireless networks by encrypting
the data. WEP used a key for encryption. The problem, however, was that WEP had no
provision for key management and so the number of people sharing the same key
continually grew, giving criminals access to a large amount of traffic data.
Furthermore, WEP’s initialization vector (IV), one of the key components of its
encryption key, was too small, readable and static. To address this and replace
WEP, WPA and then WPA2 were developed as improved security protocols. Unlike with
WEP, an attacker cannot recover WPA2’s encryption key by observing network traffic.
However, they can still use a packet sniffer to analyze the packets going between
an access point and a legitimate user.
1.4.6 Risky Business:

You are enjoying a coffee in the local cafe and decide to catch up on your emails
while you wait for your friend to arrive. You try to log on to the café’s Wi-Fi but
the connection looks very weak. Fortunately, there is a second Wi-Fi with a similar
name, so you log on to that. However, unbeknownst to you, an attacker sits nearby,
having created a Wi-Fi hotspot on their mobile, which they have paired with their
laptop. They are monitoring the online activity of everyone who connects to this
Wi-Fi, including you — that wasn’t the café’s Wi-Fi after all!
What type of attack is this? Select the correct answer, then Submit. (Evil twin)
(That’s right! This is an example of an evil twin attack. The attacker has set up a
Wi-Fi hotspot to look like a better connection option for anyone looking to access
the cafe’s Wi-Fi. Once you are connected to the evil access point, the attacker can
analyze your network traffic and execute MitM attacks. Always use a virtual private
network (VPN) to stay secure on public networks, especially if you are accessing
personal data or confidential organizational information.)
1.4.7 Wi-Fi and Mobile Defense:
There are several steps that organizations and users need to take to defend against
wireless and mobile device attacks. These include the following:
* Take advantage of basic wireless security features such as authentication and
encryption by changing the default configuration settings.
* Restrict access point placement by placing these devices outside the firewall or
within a demilitarized zone — a perimeter network that protects an organization’s
LAN from untrusted devices.
* Use WLAN tools such as NetStumbler to detect rogue access points or unauthorized
workstations.
* Develop a policy for guest access to an organization’s Wi-Fi network.
* Employees in an organization should use a remote access VPN for WLAN access.
1.5 Other Attacks
Attacks carried out through web applications are becoming increasingly common.They
involve cybercriminals taking advantage of vulnerabilities in the coding of a web-
based application to gain access to a database or server. Let’s take a look at some
examples.
1.5.1 Cross-Site Scripting:

Cross-site scripting (XSS) is a common vulnerability found in many web
applications. This is how it works:
- Cybercriminals exploit the XSS vulnerability by injecting scripts containing
malicious code into a web page.
- The web page is accessed by the victim, and the malicious scripts unknowingly
pass to their browser.
- The malicious script can access any cookies, session tokens or other sensitive
information about the user, which is sent back to the cybercriminal.
- Armed with this information, the cybercriminal can impersonate the user.
1.5.2 Code Injection:

Most modern websites use a database, such as a Structured Query Language (SQL) or
an Extensible Markup Language (XML) database, to store and manage data. Injection
attacks seek to exploit weaknesses in these databases.
Select the headings to find out more about some common types of injection attacks.
(XML injection attack: An XML injection attack can corrupt the data on the XML
database and threaten the security of the website. It works by interfering with an
application’s processing of XML data or query entered by a user. A cybercriminal
can manipulate this query by programming it to suit their needs. This will grant
them access to all of the sensitive information stored on the database and allows
them to make any number of changes to the website.
SQL injection attack: Cybercriminals can carry out an SQL injection attack on
websites or any SQL database by inserting a malicious SQL statement in an entry
field. This attack takes advantage of a vulnerability in which the application does
not correctly filter the data entered by a user for characters in an SQL statement.
As a result, the cybercriminal can gain unauthorized access to information stored
on the database, from which they can spoof an identity, modify existing data,
destroy data or even become an administrator of the database server itself.
DLL injection attack: A dynamic link library (DLL) file is a library that contains
a set of code and data for carrying out a particular activity in Windows.
Applications use this type of file to add functionality that is not built-in, when
they need to carry out this activity. DLL injection allows a cybercriminal to trick
an application into calling a malicious DLL file, which executes as part of the
target process.
LDAP injection attack: The Lightweight Directory Access Protocol (LDAP) is an open
protocol for authenticating user access to directory services. An LDAP injection
attack exploits input validation vulnerabilities by injecting and executing queries
to LDAP servers, giving cybercriminals an opportunity to extract sensitive
information from an organization’s LDAP directory.)
1.5.3 Buffer Overflow:

Buffers are memory areas allocated to an application. A buffer overflow occurs when
data is written beyond the limits of a buffer. By changing data beyond the
boundaries of a buffer, the application can access memory allocated to other
processes. This can lead to a system crash or data compromise, or provide
escalation of privileges. These memory flaws can also give attackers complete
control over a target’s device. For example, an attacker can change the
instructions of a vulnerable application while the program is loading in memory
and, as a result, can install malware and access the internal network from the
infected device.
Did you know that research carried out by Carnegie Mellon University estimates that
nearly half of all exploits of computer programs stem from some form of buffer
overflow?
1.5.4 Remote Code Executions:

Remote code execution allows a cybercriminal to take advantage of application
vulnerabilities to execute any command with the privileges of the user running the
application on the target device. Privilege escalation exploits a bug, design flaw
or misconfiguration in an operating system or software application to gain access
to resources that are normally restricted.
Select the image to find out more about the Metasploit Project and this community’s
white hat cybersecurity tools.
(The Metasploit Project is a computer security project that provides information
about security vulnerabilities and aids in penetration testing. Among the tools
they have developed is the Metasploit Framework, which can be used for developing
and executing exploit code against a remote target. Meterpreter, in particular, is
a payload within Metasploit that allows users to take control of a target’s device
by writing their own extensions and uploading these files into a running process on
the device. These files are loaded and executed from memory, so they never involve
the hard drive. This means that such files fly under the radar of antivirus
detection. Meterpreter also has a module for controlling a remote system’s webcam.
Once Meterpreter is installed on a target device, the Metasploit user can view and
capture images from the target’s webcam.)
1.5.5 Other Application Attacks:

Every piece of information that an attacker receives about a targeted system or
application can be used as a valuable weapon for launching a dangerous attack.
Select the headings to find out more about some other types of application attacks.
(Cross-site request forgery (CSRF): CSRF describes the malicious exploit of a
website where unauthorized commands are submitted from a user’s browser to a
trusted web application. A malicious website can transmit such commands through
specially-crafted image tags, hidden forms or JavaScript requests — all of which
can work without the user’s knowledge.
Race condition attack: Also known as a time of check (TOC) or a time of use (TOU)
attack, a race condition attack happens when a computing system that is designed to
handle tasks in a specific sequence is forced to perform two or more operations
simultaneously. For example, operating systems are made up of threads — the
smallest sequence of program instructions required to carry out a process. When two
or more threads access shared data and try to change it at the exact same time, a
race condition attack occurs.
Improper input handling attack: Data inputted by a user that is not properly
validated can affect the data flow of a program and cause critical vulnerabilities
in systems and applications that result in buffer overflow or SQL injection
attacks.
Error handling attack: Attackers can use error messages to extract specific
information such as the hostnames of internal systems and directories or files that
exist on a given web server — as well as database, table and field names that can
be used to craft SQL injection attacks.
Application programming interface (API) attack: An API delivers a user response to
a system and sends the system’s response back to the user. An API attack occurs
when a cybercriminal abuses an API endpoint.
Replay attack: This describes a situation where a valid data transmission is
maliciously or fraudulently repeated or delayed by an attacker, who intercepts,
amends and resubmits the data to get the receiver to do whatever they want.
Directory traversal attack: Directory traversal occurs when an attacker is able to
read files on the webserver outside of the directory of the website. An attacker
can then use this information to download server configuration files containing
sensitive information, potentially expose more server vulnerabilities or even take
control of the server!
Resource exhaustion attacks: These attacks are computer security exploits that
crash, hang or otherwise interfere with a targeted program or system. Rather than
overwhelming network bandwidth like a DoS attack, resource exhaustion attacks
overwhelm the hardware resources available on the target’s server instead.)
1.5.6 What Do You Think?

Guru has asked for your opinion. It looks like an attacker has targeted a
vulnerability in @Apollo’s online messaging service, which is used to facilitate
communications between employees working across different sites. When an employee
makes a voice call, it floods the memory of the application, effectively giving the
attacker control over the employee’s device. What type of attack is this?
Select the correct answer, then Submit. (Buffer overflow)

That’s right, well done! You appear to have a good understanding of the different
attack types which cybercriminals have at their disposal. In this case, the
attacker has carried out a buffer overflow attack. By writing the limits of
@Apollo’s online messaging service beyond the buffer, they can effectively gain
access to employee devices every time a voice call is made using this application.
1.5.7 Defending Against Application Attacks:

There are several actions that you can take to defend against an application
attack. You will find some of them outlined here.
*The first line of defense against an application attack is to write solid code.
* Prude ntprogramming practice involves treating and validating all input from
outside of a function as if it is hostile.
*Keep all software, including operating systems and applications, up to date and do
not ignore update prompts. Remember that not all programs update automatically.
Email is used by billions of people worldwide and, as a result, has become a major
vulnerability to users and organizations. Scroll down to find out more about some
common email and browser attacks.
1.5.8 Spam:
Spam, also known as junk mail, is simply unsolicited email. In most cases, it is a
method of advertising. However, a lot of spam is sent in bulk by computers infected
by viruses or worms — and often contains malicious links, malware or deceptive
content that aims to trick recipients into disclosing sensitive information, such
as a social security number or bank account information. Almost all email providers
filter spam, but it still consumes bandwidth. And even if you have security
features implemented, some spam might still get through to you. Look out for the
following indicators of spam:
The email has no subject line.
The email asks you to update your account details.
The email text contains misspelled words or strange punctuation.
Links within the email are long and/or cryptic.
The email looks like correspondence from a legitimate business, but there are tiny
differences — or it contains information that does not seem relevant to you.
The email asks you to open an attachment, often urgently.
If you receive an email that contains one or more of these indicators, you should
not open the email or any attachments. Many organizations have an email policy that
requires employees to report receipt of this type of email to their cybersecurity
team for further investigation. If in doubt, always report.
1.5.9 Phishing:
Phishing is a form of fraudulent activity often used to steal personal information.
Select the images to find out more.

(Phishing: Phishing occurs when a user is contacted by email or instant message —
or in any other way — by someone masquerading as a legitimate person or
organization. The intent is to trick the recipient into installing malware on their
device or into sharing personal information, such as login credentials or financial
information. For example, you receive an email congratulating you for winning a
prize. It looks like it was sent from a well-known retail store and asks you to
click on a link to claim your prize. This link may in fact redirect you to a fake
site that asks you to enter your personal details, or it may even install a virus
on your device.
Spear phishing: A highly targeted attack, spear phishing sends customized emails to
a specific person based on information the attacker knows about them — which could
be their interests, preferences, activities and work projects. For example, a
cybercriminal discovers through their research that you are looking to buy a
specific model of car. The cybercriminal joins a car discussion forum you are a
member of, forges a car sale offering and sends you an email that contains a link
to see pictures of the car. When you click on the link, you unknowingly install
malware on your device.)
1.5.10 Vishing, Pharming and Whaling:

Criminals make use of a wide range of techniques to try to gain access to your
personal information.
Select the headings to find out more about some of their common scams.
(Vishing: Often referred to as voice phishing, this type of attack sees criminals
use voice communication technology to encourage users to divulge information, such
as their credit card details. Criminals can spoof phone calls using voice over
Internet protocol (VoIP), or leave recorded messages to give the impression that
they are legitimate callers.
Pharming: This type of attack deliberately misdirects users to a fake version of an
official website. Tricked into believing that they are connected to a legitimate
site, users enter their credentials into the fraudulent website.
Whaling: Whaling is a phishing attack that targets high profile individuals, such
as senior executives within an organization, politicians and celebrities.)
1.5.11 Gone Phishing...

@Apollo has a number of security policies that require employees to report any
suspicious activities to the cybersecurity team for further investigation. Guru has
asked you to review some recent activities to see if any indicate a security issue.
Can you identify what type of attack each scenario is describing?

An employee received an email that looked like it came from an @Apollo supplier
asking them to click a link to claim a discount. (Phishing)
An employee received an automated phone call from the bank advising that @Apollo’s
account had been compromised and that they must call a specific number to reset the
password. (Vishing)
An employee received a text message advising that one of @Apollo’s software
subscriptions is expiring and that they must update the details immediately.
(Smishing)
That’s right! Criminals have a range of methods that aim to trick users into
divulging their personal and financial information. You need to be aware of these
and know what signs to look out for so that you and your organization do not fall
victim to attack.
1.5.12 Defending Against Email and Browser Attacks:

There are many actions that you can take to defend against email and browser
attacks. Some of the most important ones are outlined here.
It is difficult to stop spam, but there are ways to reduce its effects:
- Most Internet service providers (ISPs) filter spam before it reaches the user’s
inbox.
- Many antivirus and email software programs automatically detect and remove
dangerous spam from an email inbox.
- Organizations should educate employees about the dangers of unsolicited emails
and make them aware of the dangers of opening attachments.
- Never assume that email attachments are safe, even when they come from a trusted
contact. Always scan attachments before opening them.
- Become a member of the Anti-Phishing Working Group (APWG). It is an international
association of companies focused on eliminating identity theft and fraud resulting
from phishing and email spoofing.
- All software should be kept up-to-date, with the latest security patches applied
to protect against any known security vulnerabilities.
Phew! That’s a lot to take in. Cybercriminals can employ a range of tactics to get
the information they want. And we’re not done yet! Scroll down and keep going...
1.5.13 There's More...

Select the headings to reveal more information about some other common attacks that
cybercriminals can launch.
(* Physical attacks: Physical attacks are intentional, offensive actions used to
destroy, expose, alter, disable, steal or gain unauthorized access to an
organization’s infrastructure or hardware. Examples of physical attacks include:
Loading malware onto a USB flash drive that infects a device when plugged in.
* Fitting cables and plugs such as generic USB cables, mobile device charging
cables and wall or power adapters with advanced technologies, such as a wireless
chip, to allow an attacker to control or provide instructions to a device.
* Copying or skimming data from a credit or debit card using a specialized terminal
to create a cloned card, which can be used to gain unauthorized access to the
victim’s accounts.
* Adversarial artificial intelligence attacks: Machine learning is a method of
automation that allows devices to carry out analysis and perform tasks without
specifically being programmed to do so. It powers many of the applications we use
today, such as web searching, photo tagging, spam detection, video surveillance,
fraud detection and security automation. Machine learning uses mathematical models
to predict outcomes. However, these models are dependent on the data that is
inputted. If the data is tainted, it can have a negative impact on the predicted
outcome. Attackers can take advantage of this to perpetrate attacks against machine
learning algorithms. For example, using tainted data to trick an autonomous vehicle
into misinterpreting street signs.
* Supply chain attacks: Many organizations interface with a third party for their
systems management or to purchase components and software. Organizations may even
rely on parts or components from a foreign source. Attackers often find ways to
intercept these supply chains. For example, software can be based on specific
support agreements and subject to an end-of-life (EOL) date. Changing this date
could mean that an organization is no longer eligible for service and maintenance
support.
* Cloud-based attacks: Rather than developing systems on their own premises, more
and more organizations are making the move toward cloud-based computing, as we
discussed earlier in this module. The advantage is that the cloud provider will
maintain the equipment but this also opens up an organization to a host of
potential threats. Attackers are constantly leveraging ways to exploit sensitive
data stored on the cloud, as well as applications, platforms and infrastructure
that is cloud-based, as we saw with SaaS, PaaS and IaaS.)
Summary
Cybercriminals are becoming increasingly sophisticated and, as you have seen, they
have many means at their disposal to exploit vulnerabilities in a system or network
and carry out attacks to gain access to sensitive and valuable information. As a
cybersecurity professional, you will need to know what their tactics are so that
you can spot, stop and defend against them. You have done great work so far at
@Apollo. Guru is excited to develop your talent further. It’s time to move on to
the next module where we will look at the three Ps of cybersecurity — principles,
practices and processes. These will help guide you as you build your career in
cybersecurity.
But before you move on, let’s check your knowledge with a short quiz.
1.6 Quiz (90%)
2. Cybersecurity P3 (Principles, Practices and Processes)
2.1. The Three Dimensions

Welcome back, my apprentice! After looking at the threats and threat domains they
can target, I’m looking forward to showing you everything I know about the
principles, practices and processes relating to cybersecurity. It’s great to see
your career in cybersecurity developing. Remember, at the end of this module you
could move on to the next level of training — so let’s make sure we stop these
cybercriminals in their tracks and help keep sensitive information, servers and
systems at @Apollo secure! Scroll down to get started.
2.1.1. The Cybersecurity Cube:

Have you heard of the cybersecurity cube? It is a way of thinking about protecting
data that provides us with a clear idea of what it entails, including the three
dimensions of information security.
Scroll down to explore each one.
1. Security Principles: (imagen 2.1.1.a)

The first dimension of the cybersecurity cube identifies the goals to protect
cyberspace. The foundational principles of confidentiality, integrity and
availability of data provide a focus which enables the cybersecurity expert to
prioritize actions when protecting any networked system.
- Data confidentiality prevents the disclosure of information to unauthorized
people, resources, or processes.
- Data integrity refers to the accuracy, consistency, and trustworthiness of data.
- Data availability ensures that information is accessible by authorized users when
needed.
You can use the acronym CIA to remember these three principles.
2. Data States: (imagen 2.1.1.b)

The cyberspace domain contains a considerable amount of critically important data.
But in what state? The second dimension of the cybersecurity cube represents the
three possible data states:
- Data in transit.
- Data at rest or in storage.
- Data in process.
Effective cybersecurity requires the safeguarding of data in all three states. We
can’t focus only on protecting data that is being processed, nor just on data in
storage.
3. Safeguards: (imagen 2.1.1.c)

The third dimension of the cybersecurity cube defines the pillars on which we need
to base our cybersecurity defenses in order to protect data and infrastructure in
the digital realm. These are technology, policy and practices, and improving
education, training and awareness in people. Cybersecurity professionals must use a
range of different skills and disciplines available to them when protecting data
and infrastructure in cyberspace.
2.1.2. CIA Triad – The Principle of Confidentiality:

To accomplish confidentiality without using encryption, tokenization is a
substitution technique that can isolate data elements from exposure to other data
systems. A random value with no mathematical relationship replaces original data.
Outside the system, a token has no value and is meaningless. Tokenization can
preserve the data format (its type and data length), which makes it useful for
databases and card payment processing. Rights management covers both digital rights
management (DRM) and information rights management (IRM). Both protect data from
unauthorized access by using encryption.
DRM protects copyrighted material like music albums, films or books. When any such
content appears in digital form — for instance on CD, mp3 or e-book — it is
encrypted, so the media cannot be copied without the decryption key, which is
available only to licensed parties.
IRM is used in email and other files relevant to the activities and communications
of an organization that need to be shared with others. With IRM, the document
owner, the organization or one of its members, controls and manages access to the
document.
2.1.3. Protecting Data Privacy:

Now you know the basics about protecting confidential data, but remember,
organizations collect a huge amount of data and while lots of it is publicly
available, some data is sensitive information that should be kept confidential. As
@Apollo grows bigger, there is more and more sensitive data, which must be
protected from unauthorized access to safeguard the organization, its employees,
clients and partners. Types of sensitive information fall into three categories:
personal information, business information and classified information. Can you
identify which category each of the below are examples of?

An @Apollo employee’s bank details. (Personal)
A brand new eLearning tool, which @Apollo is planning to launch into the market
next year. (Business)
Restricted access information from a government agency for a new training module
that @Apollo is creating, based around high security policies. (Classified)
That’s right, well done!
Personal information is anything that can be traced back to an individual, such as
medical records, credit card numbers or social security numbers.
Business information contains anything that poses a risk to an organization if
discovered by the public or by a competitor, such as acquisition plans, customer
information or trade secrets.
Classified information may belong to a government body or similar and is considered
secret, confidential or restricted access.
Some organizations deploy privacy enhancement technologies including anonymization,

data minimization and tokenization to help resolve data privacy concerns. Data
anonymization works by obscuring privately identifiable data stored in a clear
format, and turning that data into irreversible anonymous information. This might
be something that @Apollo might think about implementing as its business grows.
Let’s keep exploring the principles of data security. You’re doing great!
2.1.4. Data Integrity:

Integrity is the accuracy, consistency and trustworthiness of data across its
entire lifecycle. Data undergoes several operations such as capture, storage,
retrieval, update and transfer, and must remain unaltered by unauthorized entities
during all these operations. Methods used to ensure data integrity include hashing,
data validation checks, data consistency checks and access controls. Data integrity
systems can include one or more of these methods. Data integrity is a fundamental
component of information security, and protecting it is a constant challenge for
most organizations. Loss of data integrity can render entire data resources
unreliable or unusable. However, the need for and urgency of data integrity varies
based on how an organization uses its data. For example, a bank or financial
organization assigns a higher importance to data integrity than a social media
channel.
Select the images to find out more about the need for data integrity.
(* Critical level of need: In a healthcare organization, data integrity might be a
matter of life or death. Prescription information must be accurate. Therefore, all
data is continuously validated, tested and verified.
* High level of need: In an e-commerce or analytics-based organization,
transactions and customer accounts must be accurate. All data is validated and
verified at frequent intervals.
* Mid level of need: Online sales and search engines collect data that has been
publicly posted. Little verification is performed, and data is not completely
trustworthy.
* Low level of need: Blogs, forums and personal pages on social media are powered
by public opinion and open contribution. Data may not be verified at all, and there
is a low level of trust in the content.)
2.1.5 Availability:
Availability refers to the need to maintain availability of informaticon whenever
it is needed. Cyberattacks and system failures can prevent access to information,
systems and services. Common auses of system failures that can impact the
availability of data are: Equipment failure, Natural disaster, Denial of Service,
Malicious attacks, Equipment maintenance, System backup.
There are many reasons why cybercriminals want to interrupt the availability of a
service or system — or even files and data. Taking down a competitor’s website, for
example, may provide an advantage to its rival. Denial of service (DoS) attacks
threaten system availability and prevent legitimate users from accessing and using
information systems when needed. Methods used to ensure high availability include
system redundancy, system backups, increased system resiliency, equipment
maintenance, operating system and software updates and patches, and proactive plans
for swift recovery from unforeseen disasters.
2.1.6 Ensuring Availability:

There are many measures that organizations can implement to ensure the availability
of their services and systems. Let’s explore some examples. As you read them, think
about which ones might be suitable for @Apollo.
Select the headings to find out more.

(* Equipment maintenance: Regular equipment maintenance can dramatically improve
system uptime. Maintenance includes component replacement, cleaning and alignment.
* Operating systems and software updates and patches: Modern operating systems,
applications and software are continuously updated to correct errors and eliminate
vulnerabilities. In every organization, all systems, applications and software
should be updated to a regular schedule. Cybersecurity professionals can subscribe
to alerts that announce new update releases.
* Backup testing: Backup of organization data, configuration data and personal data
helps ensures availability. Backup systems and backed up data should also be tested
to ensure they work properly, and that data can be recovered in the event of data
loss.
* Disaster planning: Planning for disasters is a critical part of increasing system
availability. Employees and customers should know how to respond to a disaster. The
cybersecurity team should practice response protocols, test backup systems and be
familiar with procedures for restoring critical systems.
* New technology implementations: High availability requires continuous evaluation
and testing of new technologies to counter new threats and attacks. Cybercriminals
use the latest tools and tricks, so cyber professionals are also required to keep
up, using new technologies, products and devices.
* Activity monitoring: Continuous system monitoring increases system availability.
Monitoring event logs, system alerts and access logs provides the cybersecurity
professional with real-time system information. Such monitoring can identify
attacks within seconds and enable cybersecurity professionals to fend them off
quickly, when they occur.
* Availability testing: All systems should be tested to find vulnerabilities.
Testing can include port scans, vulnerability scans and penetration tests.)
2.1.7 The Cybersecurity Sorcery Cube Scatter Quizlet:

In this Lab you will identify the three dimensions of the Cybersecurity Sorcery
Cube and the elements of each dimension.
Press the play button to view this short demo video. (Video). Now, get a real-
world, hands-on experience by following the instructions and practicing this
activity on your own laptop or desktop computer. Download the 2.1.7 Lab - The
Cybersecurity Sorcery Cube Scatter Quizlet - Answer Key.pdf for instructions.
2.1.8 File and Data Integrity Checks:

In this Packet Tracer you will learn how to: Recover files after a cyber attack.
Use hashing to verify file integrity. Use HMAC to verify file integrity.
Press the play button to view this short demo video. (Video) Now, get a real-world,
hands-on experience by following the instructions and practicing this activity on
your own laptop or desktop computer. Download the 2.1.8 Packet Tracer - File and
Data Integrity Checks.pka file and the 2.1.8 Packet Tracer - File and Data
Integrity Checks - Answer Key.pdf for instructions.
2.1.9 Explore File and Data Encryption:

In this Packet Tracer you will learn how to: Discover encrypted account credentials
using the OpenSSL tool. Upload and download confidential data. Decrypt the contents
of a sensitive file.
Press the play button to view this short demo video. (Video) Now, get a real-world,
hands-on experience by following the instructions and practicing this activity on
your own laptop or desktop computer.Download the 2.1.9 Packet Tracer - Explore File
and Date Encryption.pka file and the 2.1.9 Packet Tracer - Explore File and Date
Encryption - Answer Key.pdf for instructions.
2.2 States of Data
As outlined by the cybersecurity cube, information security requires data to be

protected in all three states: at rest, in transit and in process. Organizations
like @Apollo handle plenty of data. Let’s start this topic by exploring the
different states this data can be in.
Scroll down to get started.
2.2.1 Data at Rest:

‘Data at rest’ refers to data that is in storage. Simply put, it is the state data
is in when no user or process is accessing, requesting or amending it. Data at rest
can be stored on local devices such as a hard disk in a user’s computer, or a
centralized network, such as an organization’s server. Any and all data that is not
in transit nor in process is considered data at rest. However, a number of options
exist for intentionally storing data that you may want to access later.

(-Direct-attached storage (DAS): This type of storage is connected to a computer. A
hard drive or USB flash drive is an example of direct-attached storage. By default,
systems are not set up to share direct-attached storage with other computers on
their network.
- Redundant array of independent disks (RAID): These professional storage solutions
use multiple hard drives in an array, which is a method of combining multiple disks
so that the operating system sees them as a single disk. RAID provides improved
performance and fault tolerance.
- Network attached storage (NAS) device: This is a storage device connected to a
network that allows storage and retrieval of data from a centralized location by
authorized network users. NAS devices are flexible and scalable, meaning
administrators can increase their capacity as needed.
- Storage area network (SAN): SAN architecture is a network-based storage system.
SAN systems connect to the network using high-speed interfaces, which allows for
improved performance and the ability to connect multiple servers to a centralized
disk storage repository.
- Cloud storage: This is a remote storage option that uses space on a data center
provider and is accessible from any computer with Internet access, usually upon
subscription. Google Drive, iCloud, and Dropbox are all examples of cloud storage
providers.)
2.2.2 Challenges of Protecting Stored Data:

To improve data storage protection, organizations can automate and centralize data
backups.
Select the arrows to find out more.

(Direct-attached storage can be one of the most difficult types of data storage to
manage and control. Direct-attached storage is vulnerable to malicious attacks on
the local host.
Data at rest also includes backup data (when it is not being written or in
transit). Backups can be manual or automatic. To boost security and decrease data
loss, organizations should limit the types of data stored on direct-attached
storage devices.
Network storage systems offer a more secure option. Network storage systems
including RAID, SAN and NAS provide greater performance and redundancy. However,
network storage systems are more complicated to configure and manage. They also
handle more data, posing a greater risk to the organization if the device fails.
The unique challenges of network storage systems include configuring, testing and
monitoring the system.)
@Apollo has decided not to store its data using direct-attached methods. Instead,
the organization opted for network storage systems. They employ an IT technician to
manage this, as many organizations find protecting their stored data a growing
challenge, with cybersecurity attacks becoming more sophisticated and frequent. You
and I have done a great job so far, and we have also made @Apollo aware of the
risks. They are certainly taking their data security seriously. There’s still
plenty for you to learn, though…
2.2.3 Methods of Transmitting Data:

Data in transit is the second state of data we are going to look at, referring
simply to data which is being transmitted — it is not at rest nor in use. Data
transmission involves sending information from one device to another, and
protecting data in transit poses challenges. There are numerous ways to transmit
information between devices.
Select the headings for details.

(- A sneaker net: A sneaker net uses removable media to physically move data from
one computer to another. Organizations will never be able to fully eliminate the
use of a sneaker net as a way to capture data.
- Wired networks: Wired networks use cables to transmit data. Wired networks
include copper-wired and fiber optic media and can serve a local area network (LAN)
or span great distances (wide area networks — WAN).
- Wireless networks: Wireless networks use radio waves to transmit data and are
replacing wired networks as they become faster and able to handle more bandwidth.
Wireless networks expand the number of guest users with mobile devices on small
office home office (SOHO) and enterprise networks.)
Both wired and wireless networks use packets or data units. The term packet refers
to a unit of data that travels between an origin and a destination on the network.
Standard protocols such as the Internet Protocol (IP) and Hypertext Transfer
Protocol (HTTP) define the structure and formation of data packets. These standards
are open source, fully available to the public. Protecting the confidentiality,
integrity and availability of transmitted data is one of the most important
responsibilities of a cybersecurity professional.
2.2.4 Challenges of Data in Transit

The protection of data in transit is one of the most challenging jobs of a
cybersecurity professional. With the growth in mobile and wireless devices, and the
increasing amounts of data collected and stored by organizations, cybersecurity
professionals are responsible for protecting massive amounts of data crossing their
network daily. We have several challenges to deal with if we want to protect this
data.

(- Protecting the confidentiality of data in transit: Cybercriminals can capture,
save and steal data in transit. Cybersecurity professionals must take steps to
counter these actions, such as implementing VPNs, using SSLs, IPsec and various
other methods of encryption.
- Protecting the integrity of data in transit: Cybercriminals can intercept and
alter data in transit. Cybersecurity professionals deploy data integrity systems
that test the integrity and authenticity of transmitted data to counter these
actions. These systems include, for example, hashing and data redundancy.
- Protecting the availability of data in transit: Cybercriminals can use rogue or
unauthorized devices to interrupt data availability, capturing it in transit. A
simple mobile device can pose as a local wireless access point and trick
unsuspecting users into associating with it. The cybercriminal can then hijack an
authorized connection to a protected service or device. As data is being
transmitted to and from the victim’s device, the cybercriminal can intercept and
even delete it, affecting its availability. Network security professionals can
implement mutual authentication systems to counter these actions. Mutual
authentication systems require the user to authenticate to the server and requests
the server to authenticate to the user. This way, a user’s device can tell when it
is being contacted or it is receiving data requests from unauthenticated, rogue
systems, such as the attacker’s in the example above.)
2.2.5 Data in Process:
Data in process refers to data during initial input, modification, computation or
output. It is the state that data is in when it is neither in transit nor at rest —
in simple terms, it is data that is being processed.
Select the arrows for further information.

(- Input: Protection of data integrity starts with the initial input of data.
Organizations use several methods to collect data, each posing a potential threat
to data integrity: data entry, scanning forms, file uploads and data collected from
sensors. Corruption during the input process may include mislabeling and incorrect
or mismatched data formats, data entry errors or disconnected and/or malfunctioning
or inoperable system sensors.
- Modification: Data modification is any change made to original data, such as
users manually modifying data, and programs processing and changing data. These
changes are intentional. Processes like encoding/decoding,
compression/decompression and encryption/decryption are all examples of data
modification too. But changes to data can be unintentional or malicious. When data
is modified in a way that stops it from being readable or usable, this is often
referred to as data corruption. For instance, equipment failing can result in data
corruption. Malicious code can also cause data corruption.
- Output: Data output refers to outputting data to output devices, such as
printers, electronic displays and speakers. The accuracy of output data is critical
because output provides information and influences decision-making. Examples of
output data corruption include the incorrect use of data delimiters, incorrect
communication configurations and improperly configured printers.)
2.2.6 Challenges of Protecting Data in Process:

Invalid data modification during processing can have an adverse impact, and
mitigating against such cases is important to organizations of all sizes. Software
errors are the reason for many such mishaps and disasters.
Select the images for two case studies.

(Just two weeks before Christmas, some of Amazon’s third-party retailers
experienced a change of the advertised price of dozens of their items from their
original price to just one cent each. It took one hour to revert the prices to
normal. The error resulted in thousands of shoppers getting the deal of a lifetime
and the third-party retailers losing a lot of revenue.
In 2016, a software glitch left users, literally, out in the cold. In January of
that year, many of Google’s Nest smart thermostats malfunctioned, leaving users
with no heat. What had happened was that a software update went wrong, forcing the
device’s batteries to drain and leaving it unable to control temperature. As a
result, customers were unable to heat their homes or get hot water on one of the
coldest weekends of the year.)
As you can see from these examples, protecting data in process requires well-
designed systems. Otherwise, the results for organizations can be severe and costly
to their finances or even their reputation. It is the role of cybersecurity
professionals to design comprehensive policies and procedures that use testing,
maintaining and updating systems to keep them operating with the least number of
errors.
2.2.7 Oh No! A Security Breach…

Just when we thought @Apollo had things covered… there has been a breach and some
of the customer information has been modified while in transit. Further
investigation suggests that this wasn’t due to manual error and no equipment
appears to have failed, but some accounting files containing details of bank
transactions have been corrupted. What could have been the cause?
Select the correct answer, then Submit. (Malicious code)

That’s right, well done. Both encoding/decoding and encryption/decryption are forms
of data modification, but if the files are corrupt then malicious code is the
likely cause.
Next Up... That covers the challenges that organizations face when protecting the
different stages of data. I’m sure you’ll agree that it’s not an easy task!
However, countermeasures are available so let’s move on to explore the third
dimension of the cybersecurity cube…
2.3 Cybersecurity Countermeasures
@Apollo may have some very unhappy clients when they hear about the safety breach.
Now is a great time to explore more countermeasures that can help prevent any more
malicious code from causing problems! Scroll down to get started.
2.3.1 Hardware-Based and Software-Based Technologies:

In the world of cybersecurity, both software and hardware is utilized to protect
the data and systems of organizations. Software safeguards include programs and
services that protect operating systems, databases and other services operating on
workstations, portable devices and servers.

Administrators can install the following software-based countermeasures or
safeguards on individual hosts or servers:
(* Software firewalls: These control remote access to a system. Operating systems
typically include a firewall, or a user can purchase or download software from a
third party.
* Network and port scanners: These discover and monitor open ports on a host or
server.
* Protocol analyzers: Otherwise known as signature analyzers, these are devices
that collect and examine network traffic. They identify performance problems,
detect misconfigurations, identify misbehaving applications, establish baseline and
normal traffic patterns and debug communication problems.
* Vulnerability scanners: These are programs designed to assess weaknesses on
computers or networks.
* Host-based intrusion detection systems (IDS): These examine activity on host
systems only. An IDS generates log files and alarm messages when it detects unusual
activity. A system storing sensitive data or providing critical services is a
candidate for host-based IDS.
There are several hardware-based technologies used to safeguard an organization’s

assets too. They include:
* Firewalls: These block unwanted traffic. Firewalls contain customizable rules
that define the traffic allowed into and out of a network.
* Proxy servers: Proxy servers use a network addressing scheme to present one
organization-wide IP address to the Internet. A proxy server thus functions on
behalf of the client when requesting service, potentially masking the true origin
of the request to the resource server.
* Hardware-based access control: This term refers to devices that utilize biometric
technology, such as fingerprint or iris scanners, to confirm the identity of anyone
trying to access servers, data and systems.
* Network switches: An integral part to networking, switches are commonly used as a
connection point, linking other devices together, for example in a local area
network. Their features enable them to add to the security efficiency of the
network.
2.3.2 Establishing a Culture of Cybersecurity Awareness:

associated text. Investing a lot of money in technology will not make a difference
if the people within the organization are not trained in cybersecurity. A security
awareness program and solid, comprehensive security policies are extremely
important for any organization. An employee might not be purposefully malicious but
just unaware of what the proper procedures are and still cause great harm. There
are several ways to implement training to prevent this and to ensure all employees
feel knowledgeable and confident to make cybersecurity best practices part of their
day-to-day activities.
Select the images for more information.

(- Education and training: Make security awareness training a part of an
organization’s onboarding process. Tie security awareness to job requirements or
performance evaluations. Conduct in-person training sessions using gamification and
activities (for example, capture the flag scenarios). Complete online modules and
courses — such as the eLearning @Apollo creates.
- Security awareness programs: An active security awareness program depends on: The
organization's environment and network. The level of threat. The nature and demands
of the data the organization holds. People are the first line of defense in
cybersecurity, and every organization is only as strong as its weakest link. Every
member of an organization must be aware of its security policies and implement them
in their day-to-day activities.)
It’s important to note that once is not enough: security awareness should be an
ongoing process, since new threats and techniques are always on the horizon.
Building an effective cybersecurity culture requires continued effort and
leadership from management, as well as the commitment of all team members.
2.3.3 Policies:
A security policy sets out the security objectives, rules of behavior and system
requirements to be adhered to.
A comprehensive security policy accomplishes several tasks:

* It demonstrates an organization’s commitment to security.
* It sets the rules for expected behavior.
* It ensures consistency in system operations, and software and hardware
acquisition use and maintenance.
* It defines the legal consequences of violations.
* It gives security staff the backing of management.
Security policies inform users, staff and managers of the organization’s
requirements, which protect technology and information assets. A security policy
also specifies the mechanisms needed to meet security requirements.
Select the image to find out what a security policy typically includes.
(- Identification and authentication policies: Specify authorized persons that can
have access to network resources and outlines verification procedures for said
users.
- Password policies: Ensure passwords meet minimum requirements and are changed
regularly.
- Acceptable use policies: Identify network resources and usage that are acceptable
to the organization. It may also identify ramifications for policy violations.
- Remote access policies: Identify how remote users can access a network and what
is remotely accessible.
- Network maintenance policies: Specify network device operating systems and end-
user application update procedures.
- Incident handling policies: Describe how security incidents are to be handled.)
One of the most common security policy components is an acceptable use policy
(AUP). This component defines what users can and cannot do on the various system
components. The AUP should be as explicit as possible, to avoid misunderstandings.
For example, an AUP lists specific websites, newsgroups or bandwidth-intensive
applications that users cannot access using the organization’s computers or while
on the organization’s network.
2.3.4 Standards:
Standards help IT staff maintain consistency in operating the network.

(* Standards documents provide the technologies that specific users or programs
need in addition to any program requirements or criteria that an organization must
follow. This helps IT staff improve efficiency and simplicity in design,
maintenance and troubleshooting.
* One of the most important security principles is consistency. For this reason, it
is necessary for organizations to establish standards. Each organization develops
standards that support its unique operating environment.
* An example of a standard would be an organization’s password policy. For
instance, the standard could stipulate that passwords require a minimum of eight
uppercase and lowercase alphanumeric characters, including at least one special
character. Or, that user must change their password every 30 days with password
history kept for the 12 most recent passwords, preventing anyone from reusing the
same within the same year.)
2.3.5 Apply Your Knowledge

@Apollo would like some ideas on how to better embed a cybersecurity culture within
its growing organization. Remember, the company now has multiple offices and
homeworkers. What would you recommend? Type your ideas in the box below, then
Submit. Select Show answer to check your response.
Changes saved. These ideas are a good start:

- Establishing policies and procedures, and having management circulate them to all
employees.
- Cybersecurity awareness days at all sites and online — attended by homeworkers as
well as office-based staff.
- Banners and signage to increase overall cybersecurity awareness. This could be a
combination of physical and digital promotion, such as posters or notifications on
@Apollo’s intranet.
- Frequent cybersecurity workshops and seminars help to increase awareness.
2.3.6 Guidelines:
Guidelines are a list of suggestions on how to do things more efficiently and
securely. They are similar to standards but are more flexible and are not usually
mandatory. Guidelines define how standards are developed and guarantee adherence to
general security policies. Some of the most helpful guidelines make up an
organization’s best practices. In addition to an organization’s defined best
practices, guidelines are also available from the following:
- National Institute of Standards and Technology (NIST) Computer Security Resource
Center.
- National Security Agency (NSA) Security Configuration Guides.
- The Common Criteria standard.
Using the password policy example, a guideline can be a suggestion that the user
takes a phrase that is memorable to them, like ‘I have a dream,’ and converts it to
a strong password by replacing letters with characters, e.g. Ihv@dr3@m. The user
can create other passwords from the same phrase by changing the number, moving the
symbol or changing the punctuation mark.
2.3.7 Procedures:
Procedure documents are longer and more detailed than standards and guidelines.
They include implementation details that usually contain step-by-step instructions
and graphics. Large organizations must use procedure documents to maintain the
consistency of deployment that is necessary for a secure environment. Following
@Apollo’s improved effort to embed a cybersecurity culture across the organization,
you need to set up some guidelines that employees can follow to change their
passwords.
Organize these stages into the correct order, then Submit.

+ Press Ctrl-Alt-Del to bring up the log-in dialog box
+ Click the ‘change password’ button
+ Enter your current password in the top box
+ Enter your new password where indicated
+ Re-enter your new password for verification
That’s right, well done! As @Apollo grows into a larger organization, procedure
documents should be provided for employees to maintain consistency and ensure best
practices are followed in processes such as this.
Next Up... You should now have a good understanding of countermeasures that
organizations can use to help tackle cybercrime. We can now move on to look at the
different types of access control, and how these can provide protection for
organizations looking to secure their data.
2.4 Access Controls
There are many different types of access controls. In this topic, we will explore
examples of physical, logical and administrative controls before taking a close
look at how access is controlled via ‘AAA’ – authorization, authentication and
accounting. You’ll need to have a good understanding of these areas to advise
@Apollo and other organizations on how to keep their data safe! Scroll down to get
started.
2.4.1 Physical Access Controls:

Physical access controls are actual barriers deployed to prevent direct physical
contact with systems. The goal is to prevent unauthorized users from gaining
physical access to facilities, equipment and other organizational assets. For
example, physical access control determines who can enter (or exit), where they can
enter (or exit) and when they can enter (or exit).
Here are some examples of physical access controls:

+ Guards to monitor the facility.
+ Fences to protect the perimeter.
+ Motion detectors to detect moving objects.
+ Laptop locks to safeguard portable equipment.
+ Locked doors to prevent unauthorized access.
+ Swipe cards to allow access to restricted areas.
+ Guard dogs to protect the facility.
+ Video cameras to monitor a facility by collecting and recording images.
+ Mantrap-style entry systems to stagger the flow of people into the secured area
and trap any unwanted visitors.
+ Alarms to detect intrusion.
2.4.2 Logical Access Controls

Logical access controls are the hardware and software solutions used to manage
access to resources and systems. These technology-based solutions include tools and
protocols that computer systems use for identification, authentication,
authorization and accountability.
Logical access control examples include:

+ Encryption is the process of taking plaintext and creating ciphertext.
+ Smart cards have an embedded microchip.
+ Passwords are protected strings of characters.
+ Biometrics are users’ physical characteristics.
+ Access control lists (ACLs) define the type of traffic allowed on a network.
+ Protocols are sets of rules that govern the exchange of data between devices.
+ Firewalls prevent unwanted network traffic.
+ Routers connect at least two networks.
+ Intrusion detection systems monitor a network for suspicious activities.
+ Clipping levels are certain allowed thresholds for errors before triggering a red
flag.
2.4.3 Administrative Access Controls

Administrative access controls are the policies and procedures defined by
organizations to implement and enforce all aspects of controlling unauthorized
access. Administrative controls focus on personnel and business practices.
Select the image for examples of administrative controls. (imagen 2.4.3.a)

(* Policies are statements of intent.
* Procedures are the detailed steps required to perform an activity.
* Hiring practices define the steps an organization takes to find qualified
employees.
* Background checks are a type of employee screening that includes information of
past employment verification, credit history and criminal history.
* Data classification categorizes data based on its sensitivity.
* Security training educates employees about the security policies at an
organization.
* Reviews evaluate an employee’s job performance.)
2.4.4 Administrative Access Controls in Detail:

Let’s look into administrative access controls, also called AAA, in more detail.
The concept of administrative access controls involves three security services:
authentication, authorization and accounting. These services provide the primary
framework to control access, preventing unauthorized access to a computer, network,
database or other data resource.

(* Authentication: The first A in AAA represents authentication. Authentication
verifies the identity of each user, to prevent unauthorized access. Users prove
their identity with a username or ID. In addition, users need to verify their
identity by providing one of the following:
- Something they know (such as a password).
- Something they have (such as a token or card).
- Something they are (such a fingerprint).
(Se explican en 2.4.7 - Authentication Methods)
In the case of two factor authentication, which is increasingly becoming the norm,
the system requires a combination of two of the above rather than just one to
verify someone’s identity.
* Authorization: Authorization services determine which resources users can access,
along with the operations that users can perform. Some systems accomplish this by
using an access control list, or an ACL. An ACL determines whether a user has
certain access privileges once the user authenticates. Just because you can log
onto the corporate network does not mean that you have permission to use the high-
speed color printer, for example. Authorization can also control when a user has
access to a specific resource. For example, employees may have access to a sales
database during work hours, but the system locks them out afterhours.
* Accounting: Not related to financial accounting, accounting in AAA keeps track of
what users do — including what they access, the amount of time they access
resources, and any changes they make. For example, a bank keeps track of each
customer account. An audit of that system can reveal the time and amount of all
transactions and the employee or system that executed the transactions.
Cybersecurity accounting services work the same way. The system tracks each data
transaction and provides auditing results. System administrators can set up
computer policies to enable system auditing. The concept of AAA is like using a
credit card. The credit card identifies who can use it, how much that user can
spend and accounts for items or services the user purchased. Cybersecurity
accounting tracks and monitors in real time.)
2.4.5 What Is Identification?

Identification enforces the rules established by the authorization policy. Every
time access to a resource is requested, the access controls determine whether to
grant or deny access. A unique identifier ensures the proper association between
allowed activities and subjects. A username is the most common method used to
identify a user. A username can be an alphanumeric combination, a personal
identification number (PIN), a smart card or biometric — such as a fingerprint,
retina scan or voice recognition. A unique identifier ensures that a system can
identify each user individually, therefore allowing an authorized user to perform
the appropriate actions on a particular resource.
Cybersecurity policies and the sensitivity of the information or systems determine

which identification controls should be used and how stringent they should be. As
@Apollo has experienced, increases in data breaches are forcing many organizations
to strengthen their identification controls.
2.4.6 Federated Identity Management:

Federated identity management refers to multiple enterprises that let their users
use the same identification credentials to gain access to the networks of all
enterprises in the group. Unfortunately, this broadens the scope and increases the
probability of a cascading effect should an attack occur. Generally speaking, a
federated identity links a subject’s electronic identity across separate identity
management systems, such as being able to access several websites using the same
social login credentials. The goal of federated identity management is to share
identity information automatically across castle boundaries. From the individual
user’s perspective, this means a single sign-on to the web. It is imperative that
organizations scrutinize the identifying information shared with partners, even
within the same corporate group, for example. The sharing of social security
numbers, names and addresses may allow identity thieves the opportunity to steal
this information from a partner to perpetrate fraud. The most common way to protect
federated identity is to tie login ability to an authorized device.
2.4.7 Authentication Methods:

As we mentioned earlier, users prove their identity with a username or ID. In
addition, users need to verify their identity by providing one of the following.
Select the headings for information about authentication methods.

(* What you know: Passwords, passphrases or PINs are all examples of something that
the user knows. Passwords are the most popular method used for authentication. The
terms passphrase, passcode, passkey and PIN are all generically referred to as
password. A password is a string of characters used to prove a user’s identity. If
this string of characters relates back to a user (for instance, if it is their
name, birthdate or address), it will be easier for cybercriminals to guess this
user’s password. Several publications recommend that a password be at least eight
characters. Users should not create a password that is so long that it is difficult
to memorize, or conversely, so short that it becomes vulnerable to password
cracking. Passwords should contain a combination of upper and lowercase letters,
numbers, and special characters. Users need to use different passwords for
different systems because if a criminal cracks the user’s password once, the
criminal will have access to all of the user’s accounts. A password manager can
help you create and use strong passwords — and means that you do not have to
remember each of these passwords, either.
* What you have: Smart cards and security key fobs are both examples of something
that users have in their possession that can be used for authentication purposes. A
smart card is a small plastic card, about the size of a credit card, with a small
chip embedded in it. The chip is an intelligent data carrier, capable of
processing, storing and safeguarding data. Smart cards contain private information,
such as bank account numbers, personal identification, medical records and digital
signatures, using encryption to keep data safe while providing a means to
authenticate. A security key fob is a device that is small enough to attach to a
keyring. In most cases, security key fobs are used for two factor authentication
(2FA), which is much more secure than a username and password combination. For
example, let’s say you want to access your e-banking, which uses two factor
authentication. First, you enter your username (identification). Then, the
password, which is your first authentication factor. Then, you need a second one,
because it's 2FA. You enter a PIN or card to your security fob, and it displays a
number. Proving that you have access to this device, which was issued to you, this
number is the second factor, which you then enter to log in to the e-banking
account, in this example.
* Who you are: Unique physical characteristics, such as a fingerprint, retina or
voice, which identify a specific person are called biometrics. Biometric security
compares physical characteristics against stored profiles to authenticate users. In
this case, a profile is a data file containing known characteristics of an
individual. The system grants the user access if their characteristics match saved
settings. A fingerprint reader is a common biometric device.
There are two types of biometric identifiers:
- Physiological characteristics — fingerprints, DNA, face, hands, the retina or ear
features.
- Behavioral characteristics — patterns of behavior such as gestures, voice, gait
or typing rhythm.
Biometrics is becoming increasingly popular in public security systems, consumer
electronics and point-of-sale applications. Implementing biometrics involves a
reader or scanning device, software that converts the scanned information into
digital form and a database that has biometric data stored for comparison.)
2.4.8 Multi-Factor Authentication:

As we’ve touched upon earlier, multi-factor authentication uses at least two
methods of verification — such as a password and something you have, for example, a
security key fob. This can be taken a step further by adding something you are,
such as a fingerprint scan. Multi-factor authentication can reduce the incidence of
online identity theft because it means knowing a password will not give
cybercriminals access to a user’s account. For example, an online banking website
might require a password and a one-off PIN that the user receives on his or her
smartphone. In this case, your first factor is your password, and your second
factor the temporary PIN, because it proves you have access to what is registered
as your phone. Withdrawing cash from an ATM is another, simple example of multi-
factor authentication as the user must have the bank card as well as know the PIN
before the ATM will dispense cash. Note that two factor authentication (2FA) is a
method of multi-factor authentication that entails two factors in particular, but
the two terms are often used interchangeably.
2.4.9 Knowledge Check:

Oh dear! There’s been another incident at @Apollo. A member of the accounting team
left their security key fob on the train on their way to work. The cybersecurity
team is keen to ensure this won’t lead to a security breach if it happened again.
Now is a great chance to put your knowledge into action.
Advise @Apollo by selecting the most suitable multi-factor authentication

combination to prevent such a security breach from the list below. (Fingerprint,
PIN and security fob)
That’s right, well done. This would be the most secure authentication combination
because each of the security requirements requires a different method of
authentication — something you know (PIN), something you have (security fob) and
who you are (fingerprint). Using this security approach would protect @Apollo
better, even in the case of a lost security key fob.
2.4.10 Authorization:
Authorization controls what a user can and cannot do on the network after
successful authentication. After a user proves their identity, the system checks to
see what network resources the user can access and what they can do with the
resources.
Select the pin icons for more information.

(+ When to implement authorization: Authorization uses a set of attributes that
describes the user’s access to the network, to answer the question, ‘What read,
copy, edit, create and delete privileges does this user have?’ The system compares
these attributes to the information contained within the authentication database,
determines a set of restrictions for that user, and delivers it to the local device
where the user is connected. Authorization is automatic and does not require users
to perform additional steps after authentication. System administrators have set
the network up to implement authorization immediately after the user authenticates.
+ Using authorization: Defining authorization rules is the first step in
controlling access. An authorization policy establishes these rules. A group
membership policy defines authorization based on users’ membership in a specific
group. All employees of an organization may have a swipe card, for example, which
provides access to the premises, but it might not allow access to a server room. It
may be that only senior-level employees and IT team members may access the server
room with their swipe cards. An authority-level policy defines access permissions
based on an employee’s position within the organization.)
2.4.11 Configure Access Control:

In this Packet Tracer, you will learn how to: Configure and use AAA authentication
credentials. Configure and use WiFi services. Configure and use email services.
Configure and use FTP services.
2.4.11 Packet Tracer - Configure Access Control.pka file and the 2.4.11 Packet
Tracer - Configure Access Control - Answer Key.pdf for instructions.
2.4.12 Implementing Accountability:

Select the arrows to find out about the third administrative access control, which
is accountability.
(* What is accountability? Accountability traces an action back to a person or

process making this change to a system. Accountability then collects this
information and reports the usage data. The organization can use this data for such
purposes as auditing or billing. The collected data might include the log-in time
for a user, whether the user login was a success or failure, or what network
resources the user accessed. This allows an organization to trace actions, errors
and mistakes during an audit or investigation.
* Implementing accountability: Implementing accountability consists of
technologies, policies, procedures and education. Log files provide detailed
information based on the parameters chosen. For example, an organization may look
at the log for login failures and successes. Login failures can indicate that a
criminal tried to hack an account, and login successes tell an organization which
users are using what resources and when. The organization’s policies and procedures
spell out what actions should be recorded and how the log files are generated,
reviewed and stored.
* Providing accountability: Data retention, media disposal and compliance
requirements all provide accountability. Many laws require the implementation of
measures to secure different data types. These laws guide an organization on the
right way to handle, store and dispose of data. The education and awareness of an
organization’s policies, procedures and related laws can also contribute to
accountability.)
2.4.13 Configure Authentication and Authorization in Linux:

In this Lab, you will learn how to: Add a new group for users. Add users to the new
group. Switch users and modify permissions. Modify permissions in absolute mode.
Now, get a real-world, hands-on experience by following the instructions in the
manual and practicing this activity on your own laptop or desktop computer.
Download the 2.4.13 Lab - Configure Authentication and Authorization in Linux -
Answer Key.pdf for instructions.
Next Up... That wraps up our fourth topic on access controls, the AAA concepts and
how to implement them effectively. Next, we’ll move on to look at cryptology, a way
to store and transmit data so that only the intended recipient can read or process
it. It’s important for any cybersecurity professional to know how to deal with a
cryptographic attack.
2.5 Cryptography
Cryptography is the science of making and breaking secret codes. By storing and
transmitting encrypted data, so only the intended recipient can read or process it,
protection is given to organizational data. For organizations such as @Apollo, this
means we can ensure unauthorized people cannot easily read our sensitive
information. But what happens if a cybercriminal tries to break an encryption
algorithm? How secure can this really be? Scroll down to find out.
2.5.1 What Is Cryptography?

Let’s get started with an overview of cryptography.
Select the headings for more information.

(* How it works: Modern cryptography uses secure algorithms to make sure that
cybercriminals and other bad actors cannot easily compromise protected information.
It results in data confidentiality to ensure privacy so that only the intended
receiver can read the message. Encryption is the process of scrambling data so that
unauthorized people cannot easily read it. When enabling encryption, readable data
is called plaintext, while the encrypted version is encrypted text or ciphertext.
Encryption converts the plaintext readable message to ciphertext, which is the
unreadable, disguised message. Decryption reverses the process. Encryption requires
a key, which plays a critical role in encrypting and decrypting a message. The
person possessing the key can decrypt the ciphertext to plaintext.
* Where it started: Various encryption algorithms and methods have been used
throughout human history. Julius Caesar is said to have secured messages by putting
two sets of the alphabet side by side, and then shifting one of them by a specific
number of places. In this case, the number of places in the shift serves as the
key. He converted plaintext into ciphertext using this key, and only his generals,
who also had the key, knew how to decipher the messages. This method is the Caesar
cipher. Over the centuries, various cipher methods, physical devices and aids have
encrypted and decrypted text. Examples include the scytale cipher, Vigenère Cipher,
and enigma machine.
* Cipher methods: Old encryption algorithms, such as the Caesar cipher or the
enigma machine, depended on keeping the algorithm secret to achieve confidentiality
and efficiency. With modern technology, where reverse engineering is often simple,
parties use public-domain algorithms. All cipher methods use a key to encrypt or
decrypt a message — and the security of encryption lies in the secrecy of the keys,
not the algorithm. An encryption algorithm is therefore only as good as the key
used. The more complexity involved, the more secure the algorithm. Key management
is an important piece in the process. Some modern encryption algorithms still use
transposition as part of the algorithm.)
2.5.2 Creating Ciphertext: (imagen 2.5.2.a.gif)

Key management is the most difficult part of designing a cryptographic system. Many
cryptosystems have failed because of mistakes in their key management, and all
modern cryptographic algorithms require key management procedures. In practice,
most attacks on cryptographic systems involve attacking the key management system,
rather than the cryptographic algorithm itself. Each encryption method uses a
specific algorithm called a cipher to encrypt and decrypt messages. A cipher is a
series of well-defined steps used to encrypt and decrypt messages. There are
several methods of creating ciphertext.
Start with the plaintext — the phrase you want to encrypt.

- Transposition — the letters are rearranged.
- Substitution — letters are replaced.
- One-time pad — plaintext combined with a secret key creates a new character,
which then combines with the plaintext to produce ciphertext.
2.5.3 Types of Cryptography:

Today, the most common types of cryptography use block ciphers and stream ciphers.
Each method differs in the way that it groups bits of data to encrypt it.
Select the arrows for more information.

(* Block ciphers (imagen 2.5.3.a) transform a fixed-length block of plaintext into
a common block of ciphertext of 64 or 128 bits. Block size is the amount of data
encrypted at any one time. To decrypt this ciphertext, we apply the reverse
transformation to the ciphertext block, using the same secret key. Block ciphers
usually result in output data that is larger than the input data, because the
ciphertext must be a multiple of the block size. For example, Data Encryption
Standard (DES) is a symmetric algorithm that encrypts blocks in 64-bit chunks using
a 56-bit key. To accomplish this, the block algorithm takes data one chunk at a
time — for example, 8 bytes per chunk — until the entire block is full. If there is
less input data than one full block, the algorithm adds artificial data, or blanks,
until it uses the full 64 bits.
* Stream ciphers (imagen 2.5.3.b) encrypt plaintext one byte or one bit at a time.
Think of stream ciphers as a block cipher with a block size of one bit. With a
stream cipher, the transformation of these smaller plaintext units varies,
depending on when they are encountered during the encryption process. Stream
ciphers can be much faster than block ciphers, and generally do not increase the
size of the message being encrypted, because they can encrypt an arbitrary number
of bits. For instance, A5 is a stream cipher that provides voice privacy and
encrypts cell phone communications. It is also possible to use DES in stream cipher
mode. Complex cryptographic systems can combine block and stream in the same
process.)
2.5.4 The Two Encryption Approaches:

There are two approaches to ensuring the security of data when using encryption.
The first is to protect the algorithm. If the security of an encryption system
depends on the secrecy of the algorithm itself, the most important protection is to
guard the algorithm at all costs. Every time someone found out the details of the
algorithm, every party involved would need to change the algorithm. That approach
does not sound very secure or manageable. The second approach is to protect the
keys. In modern cryptography, the algorithms are public. It is the cryptographic
keys that ensure the secrecy of the data. Cryptographic keys are passwords that are
input into an encryption algorithm, along with the plaintext data requiring
encryption.
There are two classes of encryption algorithms. Select each one to find out more.
(- Symmetric encryption: These algorithms use the same pre-shared key, sometimes
called a secret key pair, to encrypt and decrypt data. Both the sender and receiver
know the pre-shared key before any encrypted communication begins. Symmetric
algorithms use the same key to encrypt and decrypt the plaintext on both ends of
the process. Encryption algorithms that use a common key are simpler and need less
computational power.
- Asymmetric encryption: Asymmetric encryption algorithms use one key to encrypt
data and a different key to decrypt data. One key is public and the other is
private. In a public-key encryption system, any person can encrypt a message using
the public key of the receiver, and the receiver is the only one that can decrypt
it using their private key. Parties exchange secure messages without needing a pre-
shared key. Asymmetric algorithms are more complex, resource intensive and slower
to execute.)
It’s really important that you understand the two classes of encryption algorithms,
so let’s explore these in more depth.
2.5.5 The Symmetric Encryption Process:

Symmetric algorithms use the same pre-shared key to encrypt and decrypt data, a
method also known as private key encryption. For example, such an algorithm can be
used when an employee at @Apollo is working at home and wants to exchange a
confidential message with her HR Manager via postal mail. Private key encryption
uses a symmetric algorithm, as illustrated by the keys in the image below. (imagen
2.5.5.a)
Both the employee and the HR Manager have identical keys to a single padlock. This
key exchange happened prior to sending any secret messages. The employee writes a
secret message and puts it in a small box that she locks using the padlock. She
mails the box to the HR Manager. The message is safe inside the box as the box
makes its way through the post office system. When the HR Manager receives the box,
he uses his key to unlock the padlock and retrieve the message. The HR Manager can
use the same box and padlock to send a secret reply back to the employee, and so
on. If the HR Manager wanted to talk to a different colleague, they would need a
new pre-shared key for that communication, to keep it secret from everyone else,
including the employee who sent that first message. The more people the HR Manager
wants to communicate with securely, the more keys he will need to manage.
2.5.6 Symmetric Encryption Algorithms:

Numerous encryption systems use symmetric encryption. Below are some of the common
encryption standards that use symmetric encryption.

(* 3DES (triple DES): Digital Encryption Standard (DES) is a symmetric block cipher
with 64-bit block size that uses a 56-bit key. It takes a 64-bit block of plaintext
as input and outputs a 64-bit block of ciphertext. It always operates on blocks of
equal size and it uses both permutations and substitutions in the algorithm. A
permutation is a way of arranging all elements of a set. Triple DES encrypts data
three times and uses a different key for at least one of the three passes, giving
it a cumulative key size of 112 to 168 bits. 3DES is more resistant to attack, but
it is much slower than DES.
The 3DES encryption cycle is as follows:
1. Data encrypted by first DES.
2. Data decrypted by second DES.
3. Data re-encrypted by third DES.
The reverse process decrypts the ciphertext.
* IDEA: The International Data Encryption Algorithm (IDEA) uses 64-bit blocks and
128-bit keys. IDEA performs eight rounds of transformations on each of the 16
blocks that results from dividing each 64-bit block. IDEA was the replacement for
DES, and now PGP (Pretty Good Privacy) uses it. PGP is an encryption program that
provides privacy and authentication in data communication. GNU Privacy Guard
(GnuPG) is a licensed, free version of PGP.
* AES: The Advanced Encryption Standard (AES) has a fixed block size of 128 bits
with a key size of 128, 192, or 256 bits. The National Institute of Standards and
Technology (NIST) approved the AES algorithm in December 2001. The U.S. government
uses AES to protect classified information. AES is a strong algorithm that uses
longer key lengths. AES is faster than DES and 3DES, so it provides both a solution
for software applications as well as hardware use in firewalls and routers.
Other block ciphers include Skipjack (developed by the NSA), Blowfish and Twofish.)
2.5.7 Asymmetric Encryption Process:

Also called public key encryption, asymmetric encryption uses one key for
encryption that is different from the key used for decryption. A criminal cannot
calculate the decryption key based on knowledge of the encryption key, and vice
versa, in any reasonable amount of time.
Let’s consider the following scenario. Select the arrows.

(+ Two employees at @Apollo, Bob and Alice, exchange a confidential message using
public key encryption. They use an asymmetric algorithm. With this exchange, Bob
and Alice do not exchange keys prior to sending secret messages. Instead, they each
have a separate padlock with separate corresponding keys. For Alice to send a
secret message to Bob, she must first contact him and ask him to send his open
padlock to her. Bob sends the padlock but keeps his key. (imagen 2.5.7.a)
+ When Alice receives the padlock, she writes her secret message and puts it in a
small box. She also puts her open padlock in the box but keeps her key. She then
locks the box with Bob’s padlock. When Alice locks the box, she is no longer able
to get inside because she does not have a key to that padlock. (imagen 2.5.7.b)
+ Alice mails the box to Bob and, as the box travels through the mail system, no
one can open it. When Bob receives the box, he can use his key to unlock the box
and retrieve the message from Alice. To send a secure reply, Bob puts his secret
message in the box, along with his open padlock, and locks the box using Alice’s
padlock. Bob mails the secured box back to Alice. (imagen 2.5.7.c)
2.5.8 Asymmetric Encryption Algorithms:

Asymmetric algorithms use formulas that anyone can look up. The pair of unrelated
keys is what makes these algorithms secure.
Select the headings to find out about some asymmetric algorithms.

(- RSA (Rivest-Shamir-Adleman): Uses the product of two very large prime numbers
with an equal length of between 100 and 200 digits. Browsers use RSA to establish a
secure connection.
- Diffie-Hellman: Provides an electronic exchange method to share the secret key.
Secure protocols, such as Secure Sockets Layer (SSL), Transport Layer Security
(TLS), Secure Shell (SSH), and Internet Protocol Security (IPsec), use Diffie-
Hellman.
- ElGamal: ElGamal uses the U.S. government standard for digital signatures. This
algorithm is free for use because no one holds the patent.
- Elliptic curve cryptography (ECC): Uses elliptic curves as part of the algorithm.
In the U.S., the National Security Agency uses ECC for digital signature generation
and key exchange.)
2.5.9 Using Asymmetric Encryption:

OK, it’s now time to check your knowledge! Two more @Apollo employees, Jane and
Raj, need to send an encrypted message. They want to use asymmetric encryption but
have got stuck. Can you help?
Select the correct key to decrypt the message. (Raj's private key) (imagen 2.5.9.a)
(That’s right, well done. Jane uses Raj’s public key to encrypt the message, and
then once Raj received the encrypted message, he uses his private key to decrypt
the message.)
2.5.10 Key Management:

Key management includes the generation, exchange, storage, use and replacement of
keys used in an encryption algorithm. It is the most difficult part of designing a
cryptosystem. Many cryptosystems have failed because of mistakes in their key
management procedures. In practice, most attacks on cryptographic systems target
the key management level, rather than the cryptographic algorithm itself. There are
several essential characteristics of key management to consider.

(* Symmetric Encryption Algorithm:
- Best known as shared-secret key algorithms.
- The usual key length is 80 to 256 bits.
- A sender and a receiver must share a secret key.
- Algorithms are usually quite fast (wire speed) because they are based on simple
mathematical operations.
- Examples include DES, 3DES, AES, IDEA, RC2/4/5/6 and Blowfish.
* Asymmetric Encryption Algorithm:
- Best known as public key algorithms.
- The usual key length is 512 to 4096 bits.
- A sender and a receiver do not share a secret key.
- Algorithms are relatively slow because they are based on difficult computational
operations.
- Examples include RSA, EIGamal, elliptic curves and DH.)
Two terms used to describe keys are:

- Key length — Also called the key size, this is the length of the key in bits.
- Keyspace — This is the number of possibilities that a specific key length can
generate.
As key length increases, the keyspace increases exponentially. The keyspace of an
algorithm is the set of all possible key values. Longer keys are more secure;
however, they are also more resource intensive. Almost every algorithm has some
weak keys in its keyspace that can enable a criminal to break the encryption via a
shortcut.
2.5.11 Comparing Encryption Types

It is important to understand the differences between symmetric and asymmetric
encryption methods.
- Symmetric encryption systems are more efficient and can handle more data.
However, key management with symmetric encryption systems is more problematic and
harder to manage.
- Asymmetric cryptography is more efficient at protecting the confidentiality of
small amounts of data, and its size and speed make it more secure for tasks such as
electronic key exchange, which involves a small amount of data rather than
encrypting large blocks of data.
Maintaining confidentiality is important for both data at rest and data in motion.
In both cases, symmetric encryption is favored because of its speed and the
simplicity of the algorithm. Some asymmetric algorithms can significantly increase
the size of the object encrypted. Therefore, in the case of data in motion, public
key cryptography should be used to exchange the secret key, and then symmetric
cryptography to ensure the confidentiality of the data sent.
Let’s see if you can identify the encryption type from the descriptions. Select
symmetric or asymmetric from each of the dropdowns, then Submit.
There is a common key for encryption and decryption (Symmetric)
Faster and uses less processing resources (Symmetric)
Key management can be an issue as the number of users increases (Symmetric)
Uses Rivest-Shamir-Adleman (RSA) (Asymmetric)
Uses Digital Encryption Standard (DES) (Symmetric)
Used by applications like IKE, SSH, PGP and SSL (Asymmetric)
Typically requires a third party key management service (Asymmetric)
Use a public key to encrypt and private key to decrypt (Asymmetric)
Show feedback (That’s right, well done! Symmetric encryption systems are more
efficient and can handle more data. Asymmetric cryptography is more efficient at
protecting the confidentiality of small amounts of data.)
Next Up... You’ve now completed this section of your training on cryptography. You
should have a good understanding of the different types of encryption and how key
management is essential to protecting encrypted data. We’ll now move on to look at
a cryptographic hash function, also known as hashing.
2.6 Hashing
We know how important it is for data to remain unchanged while at rest or in

transit. Hashing is a tool that ensures data integrity by taking binary data — the
message — and producing a fixed-length representation called the hash value — or
message digest. Scroll down to find out more.
2.6.1 What Is Hashing?

Hash functions are one-way functions used to verify and ensure data integrity. A
hash tool can also verify authentication. It works by using a cryptographic hashing
function to replace clear text passwords or encryption keys. If a password is
hashed with a specific hashing algorithm, it will always result in the same hash
digest. It is considered one-way because with hash functions, it is computationally
infeasible for two different sets of data to come up with the same hash digest or
output. Every time the data changes, the hash value also changes. As a result,
cryptographic hash values are often called digital fingerprints. Hashing is very
efficient and guards against accidental or intentional changes to the data and
accidental data corruption.
2.6.2 Hashing Properties:

The one-way mathematical function of hashing is relatively easy to compute, but
significantly harder to reverse. Grinding coffee is a good analogy for one-way
functions: it is easy to grind coffee beans, but it is impossible to put all the
tiny pieces back together to rebuild the original beans. A cryptographic hash
function has the following properties:
- The input can be any length.
- The output has a fixed length.
- The hash function is one-way and is not reversible.
- Two different input values will almost never result in the same hash.
2.6.3 Hashing Algorithms:

Hash functions help to ensure that a user or communication error does not change
data accidentally. For instance, a sender may want to make sure that no one alters
a message on its way to the recipient. The sending device inputs the message into a
hashing algorithm and computes its fixed-length digest or fingerprint.

(* ASCII code – character to binary: (imagen 2.6.3.a) The 8-bit checksum is the
simplest form of a hash function. It calculates the hash by converting the message
into binary numbers.
* Simple hash algorithm: (imagen 2.6.3.b) The algorithm adds up the 8-bit values
and calculates the result using a process called 2’s complement. This process
transforms a binary to its opposite value — zero converts to one, and one converts
to zero. The final step of the process is to add 1 to produce an 8-bit checksum.)
2.6.4 Modern Hashing Algorithms:
There are many modern hashing algorithms widely used today. Two of the most popular
are MD5 and SHA.

(* Message digest 5 (MD5) algorithm: Ron Rivest developed the MD5 hashing algorithm
in 1992, and several Internet applications use it today. MD5 is a one-way function
that makes it easy to compute a hash from the given input data but makes it very
difficult to compute input data from a hash value. MD5 produces a 128-bit hash
value. However, the Flame malware compromised the security of MD5 in 2012. The
authors of the Flame malware used an MD5 collision to forge a Windows code-signing
certificate.
* Secure hash algorithm (SHA): The U.S. National Institute of Standards and
Technology (NIST) developed SHA, the algorithm specified in the Secure Hash
Standard (SHS). NIST published SHA-1 in 1994. SHA-2 replaced SHA-1 with four
additional hash functions to make up the SHA family: SHA-224 (224 bit). SHA-256
(256 bit).SHA-384 (384 bit). SHA-512 (512 bit). SHA-2 is a stronger algorithm, and
it is replacing MD5. SHA-256, SHA-384 and SHA-512 are the next-generation
algorithms.)
2.6.5 Hashing Files and Digital Media:

Integrity ensures that data and information is complete and unaltered at the time
of its acquisition. It is important for users to have confidence in this when
downloading a file from the Internet, or if a forensic examiner is looking for
evidence on digital media, and so on.

(+ To verify the integrity of all Cisco IOS images, Cisco provides MD5 and SHA
checksums at its Download Software portal. The user can make a comparison of this
MD5 digest against the MD5 digest of a Cisco IOS image installed on a device. The
user can now feel confident that no one has tampered with or modified the Cisco IOS
image file.
+ The field of digital forensics uses hashing to verify all digital media that
contains files. For example, the examiner creates a hash and a bit-for-bit copy of
the media containing the files to produce a digital clone. The examiner compares
the hash of the original media with the copy. If the two values match, the copies
are identical. The fact that one set of bits is identical to the original set of
bits establishes fixity. Fixity helps to answer several questions:
- Does the examiner have the files they expect?
- Is the data corrupted or changed?
- Can the examiner prove that the files are not corrupt?
- Now the forensics expert can examine the copy for any digital evidence while
leaving the original intact and untouched.)
2.6.6 @Apollo Needs Help!

John, an IT engineer at @Apollo, has sent an important data file to you. Malory was
able to capture the file before it reached you, and modified some records in the
file. However, John was clever enough to generate a cryptographic SHA-512 hash of
the original file before sending it. He shared the resulting hash value over a
secure trusted channel so that you can generate the SHA-512 hash value of the file
you received before using it. When you received the file, at first it looked fine
but then you compared the hashes and discovered that they do not match.
What does this indicate?

Select the correct answer, then Submit. (The data file has been tampered with and
should be dropped and not used)
Show feedback. (That’s right, well done. If the hashes do not match, it should be
assumed that the data file has been tampered with. So the file should not be used.
John decides to try sending you the file again, after hearing how the two hashes
did not match.)
2.6.7 Hashing Passwords: (imagen 2.6.7.a)

Hashing algorithms can turn any amount of data into a fixed-length fingerprint or
digital hash. Nobody can reverse a digital hash to discover the original input. If
the input changes at all, it results in a different hash. This works to protect
passwords. A system needs to store a password in a form that protects it and keeps
it away from prying eyes, while also being able to still verify that a user’s
password is correct. This diagram shows the workflow for user account registration
and authentication using a hash-based system. You can see that the system never
writes the user’s password to the hard drive, it only stores the digital hash. This
way, the password is truly only known to the user who set it.
2.6.8 Cracking Hashes:

associated text.
To crack a hash, an attacker must guess the password. The top two attacks used to
guess passwords are dictionary and brute-force attacks.
Select the images for more information.

(* A dictionary attack uses a file containing common words, phrases and passwords.
The file has the hashes of these common passwords calculated. A dictionary attack
compares the hashes in the file with the password hashes. If a hash matches, the
attacker will know a group of potentially good passwords used in this system.
* A brute-force attack attempts every possible combination of characters up to a
given length. A brute-force attack takes a lot of processor power and time. In
theory, it is just a matter of time before this method discovers the password.
Passwords need to be long enough to make the time it takes to execute a brute-force
attack too long to be worthwhile. Hashing passwords makes it more difficult for
criminals to retrieve these passwords using brute force.)
We’ve covered a lot of information in this topic, and you are doing a great job!
Let’s take another opportunity to check your understanding and keep you climbing
the ladder of success. Scroll down to get started.
2.6.9 Identifying Hashing Terminology:

Select the correct option from each of the dropdowns, then Submit.
The (input) for a hash can be any length.
The (output) of a hash has a fixed length.
The hash function is (one-way) and is not reversible.
The (MD5) algorithm produces a 128-bit hash value.
The (SHA) algorithm can produce hash values beyond 128 bits.
The fact that one set of bits is identical to the original set of bits establishes
(fixity)
A (dictionary) attack uses a file containing common words, phrases and passwords.
A (brute-force) attack attempts every possible combination of characters up to a
given length.
Show feedback. (That’s right! You have successfully matched each hashing term to
the explanations.)
2.6.10 Salting: (imagen 2.6.10.a)

Salting makes password hashing more secure. If two users have the same password,
they will also have the same password hashes. A salt, which is a random string of
characters, is an additional input added to the password before hashing. This
creates a different hash result even when the two passwords are identical, as shown
here. Then, the database stores both the hash and the salt. The same password
generates a different hash for different users, because the salt in each instance
is different. Meanwhile, the salt does not have to be secret since it is a random
number.
2.6.11 Implementing Salting:

associated text.
A cryptographically secure pseudo-random number generator (CSPRNG) is the best way
to generate salt. CSPRNGs generate a random number that has a high level of
randomness and is completely unpredictable, so it is cryptographically secure. The
following recommendations will help ensure successful implementation of salting:
- The salt needs to be unique for every user password.
- Never reuse a salt.
- The length of the salt should match the length of the hash function’s output.
- Always hash on the server, in a web application.
Using a technique called key stretching will also help to protect against attack.
Key stretching makes attempts to figure out passwords work very slowly. This makes
high-end attacker hardware that can attempt to crack billions of hashes per second
less effective.
Select the images to find out the steps a database application uses to store and
validate a salted password.
(* To store a password: Use CSPRNG to generate a long, random salt. Add the salt to
the beginning of the password. Hash it with SHA-256, a standard cryptographic hash
function. Save the salt and the hash in the user’s database record.
* To validate a password: Retrieve a user’s salt and hash from the database. Add
the salt to the password and hash it with the same hash function. Compare the hash
of the password just submitted by the user trying to log in to the one stored in
the database. If the hashes do not match, the password the user has just tried to
log in with is incorrect.)
2.6.12 Preventing Attacks:

Salting prevents an attacker from using a dictionary attack to try to guess
passwords. Salting also makes it impossible to use lookup tables and rainbow tables
to crack a hash.

(- Lookup tables: A lookup table stores the pre-computed hashes of passwords in a
password dictionary, along with the corresponding password. A lookup table is a
data structure that processes hundreds of hash lookups per second.
- Reverse lookup tables: This attack allows the cybercriminal to launch a
dictionary or brute-force attack on many hashes without the pre-computed lookup
table. The cybercriminal creates a lookup table that plots each password hash from
the breached account database to a list of users. The cybercriminal hashes each
password guess and uses the lookup table to get a list of users whose password
matched the cybercriminal’s guess. Since many users have the same password, the
attack works well.
- Rainbow tables: Rainbow tables sacrifice hash-cracking speed to make the lookup
tables smaller. A smaller table means that the table can store the solutions to
more hashes in the same amount of space.)
2.6.13 What Is an HMAC Operation?

The next step in preventing a cybercriminal from launching a dictionary or brute-
force attack on a hash is to add a secret key to the hash. Only the person who
knows the hash can validate a password. One way to do this is to include the secret
key in the hash using a hash algorithm called keyed-hash message authentication
code (HMAC or KHMAC).

(* HMAC Hashing Algorithm: (imagen 2.6.13.a) HMACs use an additional secret key as
input to the hash function. The use of HMAC goes a step further than just integrity
assurance, adding authentication. An HMAC uses a specific algorithm that combines a
cryptographic hash function with a secret key. Only the sender and the receiver
know the secret key, and the output of the hash function now depends on the input
data and the secret key. Only parties who have access to that secret key can
compute the digest of an HMAC function. This defeats man-in-the-middle attacks and
provides authentication of the data origin.
* Creating the HMAC value: (imagen 2.6.13.b) Consider an example where a sender
wants to ensure that a message remains unchanged in transit and wants to provide a
way for the receiver to authenticate the origin of the message. The sending device
inputs data and the secret key into the hashing algorithm and calculates the fixed-
length HMAC digest or fingerprint. The receiver gets the authenticated fingerprint
attached to the message.
* Verifying the HMAC value:(imagen 2.6.13.c) The receiving device removes the
fingerprint from the message and uses the plaintext message with its secret key as
input to the same hashing function. If the receiving device calculates a
fingerprint equal to the fingerprint sent, the message is still in its original
form. Additionally, the receiver knows the origin of the message because only the
sender possesses a copy of the shared secret key. The HMAC function has just proved
the authenticity of the message.
Next Up... We’ve reached the end of our topic on hashing. You should now have a
clear understanding of how organizations such as @Apollo can prevent attacks on
passwords using hashing algorithms. As a fully trained cybersecurity expert, you’ll
need to give advice to your clients and implement such methods yourself, so good
knowledge and understanding are key! We’ll now move on to the topic of obscuring
data.
2.7 Data Obscuring
Great work — you’ve reached the final section of this level of your training! Here,
we will explore the techniques of data masking and steganography, which are methods
used to obscure or conceal data. It’s important that you know about these so that
you can pass on your knowledge to @Apollo. Scroll down to get started.
2.7.1 Data Masking Techniques:

Data masking technology secures data by replacing sensitive information with non-
sensitive versions of it. The non-sensitive version looks and acts like the
original so that an organizational process can use non-sensitive data with no
change needed to the supporting applications or data storage facilities. Masking
most commonly limits the propagation of sensitive data within IT systems by
distributing surrogate data sets for testing and analysis. Information can be
dynamically masked on the spot if the system or application detects a risky user
request for sensitive information. Data masking can replace sensitive data in non-
production environments to protect the underlying information. Several data masking
techniques can be used. All of the below methods ensure that data remains
meaningful but changed enough to protect it.
- Substitution replaces data with authentic-looking values to apply anonymity to
the data records
- Shuffling derives a substitution set from the same column of data that a user
wants to mask. This technique works well for financial information in a test
database, for example.
- Nulling out applies a null value to a particular field, which completely prevents
visibility of the data.
2.7.2 Steganography:
Steganography conceals data — e.g. a message — in another file such as a graphic,
audio or video file. The advantage of steganography over cryptography is that the
secret message does not attract any special attention. No one would ever know that
a picture contained a secret message if they just viewed the file either
electronically or in hard copy form. There are several components involved in
hiding data. First, there is the embedded data, which is the secret message. The
cover-text (or cover-image or cover-audio) hides the embedded data producing the
stego text (or stego image or stego audio). A stego key controls the hiding
process.

(* Steganography techniques: The approach used to embed data in a cover-image is
using least significant bits (LSB). This method uses bits of each pixel in the
image. A pixel is the basic unit of programmable color in a computer image. The
specific color of each pixel is a blend of three colors; red, green and blue (RGB).
Three bytes of data specify a pixel’s color (one byte for each color). Eight bits
make up a byte so a 24-bit color system uses all three bytes. LSB uses a bit of
each of the red, green and blue color components. Each pixel can store three bits.
This image shows three pixels of a 24-bit color image. One of the letters in the
secret message is the letter T, and inserting the character T changes only two bits
of the color. The human eye cannot recognize the changes made to the least
significant bits, so the result is a hidden character. On average, no more than
half of the bits in an image will need to change to hide a secret message
effectively. (imagen 2.7.2.a)
* Social steganography: Social steganography hides information in plain sight by
creating output that can be read a certain way by some to get the secret message,
based on previously set rules and/or definitions. As a result, those who view it in
a normal way will not see the message. Teens on social media use this tactic to
communicate with their closest friends while keeping others, like their parents,
unaware of what the message means. For example, the phrase ‘going to the movies’
might mean 'going to the beach.’ Individuals in countries that censor media also
use social steganography to get their messages out by misspelling words on purpose
or making obscure references that mean something to those in the know. In effect,
they communicate to different audiences simultaneously, sending out two different
messages: the apparent message and the secret message.
* Detection: Steganalysis follows the discovery that hidden information exists. The
goal of steganalysis is to discover this hidden information. Patterns in the stego
image create suspicion. For example, a disk may have unused yet reserved areas,
which are reserved because they hide information. Disk analysis utilities can
report on hidden information in unused clusters of storage devices. Filters can
capture data packets that contain hidden information in packet headers. Both of
these methods use steganography signatures. By comparing an original image with the
stego image, an analyst may pick up repetitive patterns visually.)
2.7.3 Use Steganography to Hide Data:

In this Lab you will learn how to use steganography to hide a document within a
JPEG file.
practicing this activity on your own laptop or desktop computer.
Download the 2.7.3 Lab - Use Steganography to Hide Data - Answer Key.pdf for
instructions.
Summary
That completes the overview of data obscuring techniques and how they can be
beneficial. Phew, you’re almost at the end of this module. But before you go, let’s
check you are ready to move on to the next level of your training with a short
quiz.
2.8 Quiz (100).

3. System and Network Defense
3.1 Defending Systems and Devices:

What does an organization need to do to harden an operating system and keep it
secure?
Select the arrows to find out.
(- A good administrator: A good administrator will configure the operating system
to protect against outside threats. That means removing any unnecessary programs
and services, and making sure that security patches and updates are installed in a
timely manner to correct faults and mitigate risks.
- A systematic approach: It’s important to have a systematic approach in place for
addressing system updates. An organization should:
+ Establish procedures for monitoring security-related information.
+ Evaluate updates for applicability.
+ Plan the installation of application updates and patches.
+ Install updates using a documented plan.
- A baseline: Another critical way to secure an operating system is to identify
potential vulnerabilities. To do this, establish a baseline to compare how a system
is performing against baseline expectations.)
3.1.2 Do You Know Your Stuff?

Matching. Select from lists and then submit.
Malware includes viruses, worms, Trojan horses, keyloggers, spyware and adware.
They invade privacy, steal information, damage the system or delete and corrupt
data. It’s important to protect devices using reputable antimalware software.
You’ve been asked to identify the types of antimalware programs that @Apollo can
use to help secure its systems and devices. Can you identify what type of
protection is being described? Select an option from each of the dropdowns, then
Submit.
Looks for programs that display unwanted advertising in popup boxes (Adware
protection)
Warns the user about unsafe programs or websites (Trusted/untrusted sources
verification)
Blocks the IP addresses of known phishing websites and warns the user about
suspicious emails (Phishing protection)
Monitors for viruses. Warns the user when a virus is detected and quarantines or
deletes it (Antivirus protection)
Scans for keyloggers, a program that records keystrokes to steal passwords and
other confidential information, and other spyware (Spyware protection)
Show feedback
(That’s right.
- Antivirus protection monitors for viruses. When it detects a virus, the program
warns the user and quarantines or deletes the virus.
- Adware protection looks for programs that display unwanted advertising in popup
boxes and blocks suspicious adware.
- Phishing protection blocks the IP addresses of known phishing websites and warns
the user about suspicious sites.
- Spyware protection scans for keyloggers (a program that records keystrokes to
access passwords and other confidential information) and other spyware.
- Trusted/untrusted sources verification warns the user about unsafe programs or
websites.
You may need different programs and multiple scans to remove all malicious software
completely. But only one program should be run at a time.)
3.1.3 Points to Remember:

You’ve identified types of antimalware that @Apollo can use to protect devices but
there’s more to learn. Let’s go through some important points to remember about
antimalware.
Select each heading below for some advice.
(* Watch out for rogue antivirus products: Be cautious of malicious rogue antivirus
products that appear while browsing the Internet. Most of these display an ad or
popup that looks like an actual Windows warning. They warn that malware is
infecting the computer and prompt the user to clean it. But they do not come from
legitimate sources, and clicking anywhere inside the window may download and
install malware instead.
* Fileless attacks are difficult to detect and remove: Fileless malware uses
legitimate programs to infect a computer. Going straight into memory, this type of
malware doesn’t rely on files, so it leaves no footprint. A fileless attack ends
when the system is rebooted. Fileless viruses use scripting languages such as
Windows PowerShell and are hard to detect.
* Scripts can also be malware: Scripting languages such as Python, Bash (the
command-line language for Apple’s macOS and most Linux distributions) or Visual
Basic for Applications (or VBA, used in Microsoft macros) can be used to create
scripts that are malware.
* Always remove unapproved software: Unapproved or non-compliant software may be
unintentionally installed on a computer. Users may also intentionally install
unauthorized programs. Although unapproved software may not be malicious, it can
still violate the security policy and interfere with the organization’s software or
network services. Non-compliant software should be removed immediately.)
3.1.4 Patch Management:

Cybercriminals work relentlessly to exploit weakness in computer systems. To stay
one step ahead, keep systems secure and up to date by regularly installing patches.
Select the arrows to learn more about what patches are and how they work.
(* What are patches? Patches are code updates that prevent a new virus, worm or
other malware from making a successful attack. Patches and upgrades are often
combined into a service pack. Many malware attacks could have been avoided if users
had installed the latest service pack. Operating systems such as Windows routinely
check for updates that can protect a computer from the latest security threats.
These include security updates, critical updates and service packs. Windows can be
configured to automatically download and install any high-priority updates or to
notify the user as these become available.
* What do you need to do? As a cybersecurity professional, it’s good practice to
test a patch before deploying it throughout the organization. A patch management
tool can be used to manage patches locally instead of using the vendor’s online
update service. An automated patch service provides administrators with a more
controlled setting. Let’s look at the benefits:
- Administrators can approve or decline updates.
- Administrators can force the update of systems on a specific date.
- Administrators can obtain reports on the update(s) needed by each system.
- There is no need for each computer to connect to the vendor’s service to download
patches; instead, it gets the verified update from a local server.
- Users cannot disable or circumvent updates.
*A proactive approach: As well as securing the operating system, it’s important to
update third-party applications such as Adobe Acrobat, Java and Chrome to address
vulnerabilities that could be exploited. A proactive approach to patch management
provides network security while helping to prevent ransomware and other threats.)
3.1.5 Endpoint Security:

A host-based solution is a software application that runs on a local device (or
endpoint) to protect it. The software works with the operating system to help
prevent attacks.
Select the images to learn about host-based solution options.

(* Host-based firewall: A host-based firewall runs on a device to restrict incoming
and outgoing network activity for that device. It can allow or deny traffic between
the device and the network. The software firewall inspects and filters data packets
to protect the device from becoming infected. Windows Firewall, installed by
default during Windows installation, is an example of a software firewall. You can
control the type of data sent to and from the device by opening or blocking ports.
Firewalls block incoming and outgoing network connections, unless exceptions are
defined to open and close the ports. You can select 'inbound rules' to configure
the types of traffic that are allowed to pass through to the system — this will
protect the system from unwanted traffic.
* Host Intrusion Detection System HIDS: HIDS software is installed on a device or
server to monitor suspicious activity. It monitors system calls and file system
access to detect malicious requests. It can also monitor configuration information
about the device held in the system registry. HIDS stores all log data locally. It
is resource-intensive so it can affect system performance. A host intrusion
detection system cannot monitor network traffic that does not reach the host
system, but it does monitor operating system and critical system processes specific
to that host.
* Host Intrusion Prevention System: HIPS is software that monitors a device for
known attacks and anomalies (deviations in bandwidth, protocols and ports), or
finds red flags by assessing the actual protocols in packets. If it detects
malicious activity, the HIPS tool can send you an alarm, log the malicious
activity, reset the connection and/or drop the packets.
* Endpoint Detection and Response: EDR is an integrated security solution that
continuously monitors and collects data from an endpoint device. It then analyzes
the data and responds to any threats it detects. An antivirus can only block
against threats, while EDR can do that and find threats on the device.
* Data Loss Prevention DLP: DLP tools provide a centralized way to ensure that
sensitive data is not lost, misused or accessed by unauthorized users.
* Next-Generation Firewall NGFW: NGFW is a network security device that combines a
traditional firewall with other network-device-filtering functions. For example, an
application firewall using in-line deep packet inspection (DPI) on an intrusion
protection system (IPS).)
Encryption is a tool used to protect data. Encryption uses a complicated algorithm

to transform data and make it unreadable. A special key returns the unreadable
information back into readable data.
3.1.6 Host Encryption:

The Windows Encrypting File System (EFS) feature allows users to encrypt files,
folders or an entire hard drive. Full disk encryption (FDE) encrypts the entire
contents of a drive (including temporary files and memory). Microsoft Windows uses
BitLocker for FDE. To use BitLocker, the user needs to enable Trusted Platform
Module (TPM) in the BIOS. The TPM is a specialized chip on the motherboard that
stores information about the host system, such as encryption keys, digital
certificates and passwords. When enabled, BitLocker can use the TPM chip.
Similarly, BitLocker To Go is a tool that encrypts removable drives. It does not
use a TPM chip, but still encrypts the data, requiring a password to decrypt it.
Meanwhile, a self-encrypting drive automatically encrypts all data in the drive to
prevent attackers from accessing the data through their operating system.
3.1.7 Boot Integrity:

Attackers can strike at any moment, even in the short space of time it takes for a
system to start up. It is critical to ensure that systems and devices remain secure
when booting up.
Select the arrows to find out how boot integrity works.

(* What is boot integrity? Boot integrity ensures that the system can be trusted
and has not been altered while the operating system loads. Firmware — software
instructions about basic computer functions — is stored on a small memory chip on
the motherboard. The basic input/output system (BIOS) is the first program that
runs when you turn on the computer. Unified Extensible Firmware Interface (UEFI), a
newer version of BIOS, defines a standard interface between the operating system,
firmware and external devices. A system that uses UEFI is preferred over one that
uses BIOS because a UEFI system can run in 64-bit mode.
* How does Secure Boot work? Secure Boot is a security standard to ensure that a
device boots using trusted software. When a computer system boots, the firmware
checks the signature of each piece of boot software, including UEFI firmware
drivers, UEFI applications and the operating system. If the signatures are valid,
the system boots, and the firmware gives control to the operating system.
* What is Measured Boot? Measured Boot provides stronger validation than Secure
Boot. Measured Boot measures each component starting with the firmware through to
the boot start drivers, and stores the measurements in the TMP chip to create a
log. The log can be tested remotely to verify the boot state of the client.
Measured Boot can identify untrusted applications trying to load, and it also
allows antimalware to load earlier.)
3.1.8 Managing Device Threats:

Guru has noticed some device domain threats in the new office and has asked you to
identify a countermeasure to manage each one. Can you identify the appropriate
countermeasure for each of the threats?
Unpatched software (Update and patch all operating systems and software
applications)
User downloads (Establish access control policies, standards, procedures and
guidelines)
Malware (Implement automated antimalware solutions that scan the system and update
the antimalware software to provide proper protection)
Unattended devices (Establish policies for passwords and threshold lockouts)
Acceptable use policy violation (Use content filtering)
Unauthorized media (Disable internal CD drives and USB ports)
Show feedback
(That’s right. You report back that @Apollo can implement a number of measures to
manage threats to devices.
+ Establish policies for password protection and lockout thresholds on all devices.
+ Enable screen lockout during times of inactivity.
+ Disable administrative rights for users.
+ Define access control policies, standards, procedures and guidelines.
+ Update and patch all operating systems and software applications.
+ Implement automated antivirus solutions that scan the system and update the
antivirus software to provide proper protection.
+ Deactivate all CD, DVD and USB ports.
+ Enable automatic antivirus scans for any CDs, DVDs or USB drives inserted.
+ Use content filtering to block access to inappropriate or offensive web content.
+ Mandate annual security awareness training or implement security awareness
campaigns and programs.
+ Develop an approved application list to prevent installation of unauthorized
software.)
3.1.9 Physical Protection of Devices:

Well done. You’ve protected @Apollo against software and hardware threats. But what
about the potential physical threats to @Apollo’s offices and devices?
Select the arrows to learn about security measures that can be taken.
(- Computer equipment - To physically protect computer equipment: Use cable locks
to secure devices. Keep telecommunication rooms locked. Use security cages (Faraday
cages) around equipment to block electromagnetic fields.
- Door locks: A standard keyed entry lock is the most common type of door lock.
They are often easy to force open. A deadbolt lock can be added for extra security.
Any lock that requires a key is vulnerable if the keys are lost, stolen or
duplicated. A cipher lock uses buttons that are pressed in a given sequence to open
the door. It can be programmed so that a user’s code may only work during certain
days or times. It can also keep a record of when the door opened, and the code used
to open it.
- Radio frequency identification (RFID) systems: RFID uses radio waves to identify
and track objects. RFID tags can be attached to any item that an organization wants
to track. The tags contain an integrated circuit that connects to an antenna. RFID
tags are small and require very little power, so they do not need a battery to
exchange information with a reader. RFID can help automate asset tracking, or
wirelessly lock, unlock or configure electronic devices.)
3.1.10 Harden a Linux System:

In this Lab, you will learn how how to: Use a security auditing tool to discover
system vulnerabilities. Implement recommended solutions to harden the system. Press
the play button to view this short demo video.
Play Video (Now, get a real-world, hands-on experience by following the
instructions and practicing this activity on your own laptop or desktop computer.)
Download the 3.1.10 Lab - Harden a Linux System - Answer Key.pdf for instructions.
3.1.11 Recover Passwords:

In this Lab, you will learn how to: Use a tool to recover user passwords. Change a
user password to a stronger password. Press the play button to view this short demo
video.
Play Video (Now, get a real-world, hands-on experience by following the
instructions and practicing this activity on your own laptop or desktop computer.)
Download the 3.1.11 Lab - Recover Passwords - Answer Key.pdf for instructions.
Complete Next Up... Next Up... Protecting a system or device also heavily depends
on the security of the applications it uses. Let’s take a closer look next.
3.2 Application Security
A key part of protecting an organization involves protecting the applications,

websites and online services it develops and uses. Security needs to be top
priority when developing, testing and deploying applications.
3.2.1 Application Development:

To maintain security at all stages of application development, a robust process
needs to be followed.
Select the pins to explore what this entails.

(* Developing and testing: Software is developed and updated in a development
environment, where it can be developed, tested and debugged before being deployed.
A development environment is less restrictive than the live environment and has a
lower security level. Version control software helps track and manage changes to
the software code. Developers may also work in a sandbox environment so that code
is not overwritten as they develop it. During testing, developers look at how the
code interacts with the normal environment. Quality assurance (QA) can find defects
in the software. It is much easier to fix any defect found at this phase.
* Staging and production: Staging environments should closely match the
organization’s production environment. By testing in a staging environment,
developers can verify that the software runs under the required security settings.
After the developer runs and tests security, the program can be deployed to
production.
* Provisioning and deprovisioning: Provisioning is the creation or updating of
software. Deprovisioning is its removal. An organization can use a self-service
portal to automate software provisioning and deprovisioning.)
3.2.2 Security Coding Techniques:

When coding applications, developers use several techniques to validate that all
security requirements have been met.
Select the headings to learn more.

(+ Normalization: Normalization is used to organize data in a database and help
maintain data integrity. Normalization converts an input string to its simplest
known form to ensure that all strings have unique binary representations and that
any malicious input is identified.
+ Stored procedure: A stored procedure is a group of precompiled SQL statements
stored in a database that execute a task. If you use a stored procedure to accept
input parameters from clients using different input data, you will reduce network
traffic and get faster results.
+ Obfuscation and camouflage: A developer can use obfuscation and camouflage to
prevent software from being reverse engineered. Obfuscation hides original data
with random characters or data. Camouflage replaces sensitive data with realistic
fictional data.
+ Code reuse: Code reuse means using existing software to build new software,
saving time and development costs. Care must be taken, though, to avoid the
introduction of vulnerabilities.
+ SDKs: Third-party libraries and software development kits (SDKs) provide a
repository of useful code to make application development faster and cheaper. The
downside is that any vulnerabilities in SDKs or third-party libraries can
potentially affect many applications.)
Cybercriminals often target sensitive information stored in databases. Implementing

application security practices helps to protect databases against attack. Let’s
take a closer look.
3.2.3 Input Validation:

Controlling the data input process is key to maintaining database integrity. Many
attacks run against a database and insert malformed data. Such attacks can confuse,
crash or make the application divulge too much information to the attacker. Scroll
down to look at an example — in this case, an automated input attack. Customers
fill out a web application form to subscribe to a newsletter. A database
application automatically generates and sends email confirmations back to the
customers. When customers receive the email with a URL link to confirm their
subscription, attackers have modified the URL link. These modifications can change
the username, email address or subscription status of the customers when they click
to confirm their subscription. This way, when the email is returned to the host
server, it receives bogus information, which it might not be aware of if it does
not check each email address against subscription information. Hackers can automate
this attack to flood the web application with thousands of invalid subscribers to
the newsletter database.
3.2.4 Validation Rules:

associated text. Validation rules can help ensure the security of databases by
checking to see if data meets certain rules when entered into a field. A validation
rule checks that data falls within the parameters defined by the database designer.
This helps to ensure the completeness, accuracy and consistency of data.
Select the image to discover the criteria used in a validation rule. (imagen
3.2.4.a)
(The criteria used in a validation rule include the following:
Size — checks the number of characters in a data item.
Format — checks that the data conforms to a specified format.
Consistency — checks for the consistency of code in related data items.
Range — checks that data lies within a minimum and maximum value.
Check digit — provides for an extra calculation to generate a check digit for error
detection.)
3.2.5 Integrity Checks:

(imagen 3.2.5.a)
Compromised data can threaten the security of your devices and systems. An
integrity check can measure the consistency of data in a file, picture or record to
ensure that it has not been corrupted. The integrity check performs a hash function
to take a snapshot of data and then uses this snapshot to ensure data has remained
unchanged. A checksum is an example of a hash function.
Select the headings to explore the checksum process.

Compromised data can threaten the security of your devices and systems. An
integrity check can measure the consistency of data in a file, picture or record to
ensure that it has not been corrupted. The integrity check performs a hash function
to take a snapshot of data and then uses this snapshot to ensure data has remained
unchanged. A checksum is an example of a hash function.
Select the headings to explore the checksum process.

(* How a checksum works: A checksum verifies the integrity of files, or strings of
characters, before and after they transfer between devices across a local network
or the Internet. Checksums convert each piece of information to a value and sum the
total. To test the data integrity, a receiving system repeats the process. If the
two sums are equal, the data is valid. If not, a change has occurred somewhere
along the line.
* Hash functions: Common hash functions include MD5, SHA-1, SHA-256 and SHA-512.
These use complex mathematical algorithms to compare data to a hashed value. For
example, after downloading a file, the user can verify the integrity of the file by
comparing the hash values from the source with the ones generated by any hash
calculator.
* Version control: Organizations use version control to prevent authorized users
from making accidental changes. Version control means that two users cannot update
the same object, such as a file, database record or transaction, at the exact same
time. For example, the first user to open a document has the permission to change
that document; the second person who tries to open it while the first user is still
working on it will only be able to access a read-only version.
* Backups: Accurate backups help to maintain data integrity if data becomes
corrupted. An organization needs to verify its backup process to ensure the
integrity of the backup.
* Authorization: Authorization determines who has access to an organization’s
resources based on a need-to-know basis. For example, file permissions and user
access controls ensure that only certain users can modify data. An administrator
can set permissions for a file to read-only. As a result, a user accessing that
file cannot make any changes.)
3.2.6 Other Application Security Practices:

How can you be sure that a piece of software you are installing is authentic or
that information is secure when browsing the Internet?
Select the images to find out.

(- Code Signing: Code signing helps prove that a piece of software is authentic.
Executables designed to install and run on a device are digitally signed to
validate the author’s identity and provide assurance that the software code has not
changed since it was signed.
- Secure cookies: Using secure cookies protects information stored in cookies from
hackers. When your client system interacts with a server, the server sends a HTTP
response that instructs your browser to create at least one cookie. The cookie then
stores data for future requests while you are browsing that website. Web developers
should use cookies with HTTPS, to secure cookies and prevent them from being
transmitted over unencrypted HTTP.)
3.2.7 Over to You…

You have been asked to implement several application security practices at the new
@Apollo office.
Can you identify which security practices the cybersecurity specialist is

describing below?

Measures data consistency by taking a snapshot at an instant in time to ensure it
remains unchanged (Integrity checks)
Stores data securely for future requests while you are browsing a website (Secure
cookies)
Checks that data falls within predefined parameters to ensure the completeness,
accuracy and consistency of data (Validation rules)
Digitally validates that software code has not changed and is authentic (Code
signing)
Show feedback
(That’s right. You have correctly identified the security practices described.
Validation rules check that data falls within predefined parameters to ensure the
completeness, accuracy and consistency of data.
Integrity checks measure the consistency of data by taking a snapshot of data at an
instant in time to ensure it remains unchanged.
Code signing digitally validates that software code has not changed and is
authentic.
Secure cookies store data securely for future requests while you are browsing a
website.)
3.2.8 Managing Threats to Applications:

Organizations can implement various measures to manage threats to the application
domain. Select the headings to learn about the countermeasures to manage each
threat.
(* Unauthorized access to data centers, computer rooms and wiring closets:
Implement policies, standards and procedures for staff and visitors to ensure the
facilities are secure.
* Server and system downtime: Develop a business continuity plan for critical
applications to maintain availability of operations. Develop a disaster recovery
plan for critical applications and data.
* Network operating system software vulnerability: Develop a policy to address
application software and operating system updates. Install patches and updates
regularly.
* Unauthorized access to systems: Use multi-factor authentication. Monitor log
files.
* Data loss: Implement data classification standards. Implement backup procedures.
* Software development vulnerabilities: Conduct software testing prior to launch.)
Next Up... Organizations must also implement network security best practices.
Hardening network security is all about securing a system in an effort to eliminate
potential threats and prevent unauthorized access. We will look at this in more
detail next.
3.3 Network Hardening: Services and Protocols

Network vulnerabilities will leave @Apollo open to attack and could expose the
organization and its customers. It’s important to harden networks to reduce the
number of attacks against them. First up, it’s all about securing services and
protocols.
3.3.1 Network and Routing Services:

Cybercriminals use vulnerable network services to attack a device or to use it as
part of an attack. To check for insecure network services, use a port scanner to
detect open ports on a device. A port scanner sends a message to each port and
waits for a response, which indicates how the port is used and whether it is open.
But beware, cybercriminals also use port scanners for this same reason! Securing
network services ensures that only necessary ports are exposed and available.
Select the headings to see what this means in practice.

(* Dynamic Host Control Protocol (DHCP): DHCP uses a server to assign an IP address
and other configuration information to network devices. In effect, the device gets
a permission slip from the DHCP server to use the network. Attackers can target
DHCP servers to deny access to devices on the network, but security measures like
DHCP snooping prevent rogue DHCP servers from providing IP addresses to clients by
validating messages from sources that are not trusted.
A security checklist for DHCP:
- Physically secure the DHCP server.
- Apply any software patches.
- Locate the DHCP server behind a firewall.
- Monitor DHCP activity by reviewing DHCP logs.
- Maintain a strong antivirus solution.
- Uninstall any unused services and applications.
- Close unused ports.
* Domain Name System (DNS): DNS translates a URL or website address, such as
www.cisco.com, into a numerical IP address. When users type a web address into the
address bar, the DNS server will recognize the IP address. Attackers can target DNS
servers to deny access to network resources or redirect traffic to rogue websites.
Use secure service and authentication between DNS servers to protect them from
these attacks. DNS Security Extensions (DNSSEC) uses digital signatures to
strengthen authentication and protect against threats to the DNS.
A security checklist for DNS:
- Keep DNS software up to date.
- Prevent version string from revealing information.
- Separate internal and external DNS servers.
- Restrict allowed transactions by client IP address.
- Use transaction signatures to authenticate transactions.
- Disable or restrict zone transfers and dynamic updates as much as possible.
- Enable logging and analyze logs.
- Use Domain Name System Security Extensions (DNSSEC).
- Sign zones.
* Internet Control Messaging Protocol (ICMP): Network devices use ICMP to send
error messages, that a requested service is not available or the host could not
reach the router, for example. The ping command is a network utility that uses ICMP
to test the reachability of a host on a network. Ping sends ICMP messages to the
host and waits for a reply. Cybercriminals can alter the use of ICMP to run
reconnaissance, denial of service (DoS) and covert channel attacks. Many networks
filter ICMP requests to prevent such attacks.
* Routing Information Protocol (RIP): RIP is a routing protocol that limits the
number of hops from source to destination that are allowed in a network path. The
maximum number of hops allowed for RIP is fifteen. RIP is used to exchange routing
information about which networks each router can reach and how far away those
networks are.
* Network Time Protocol (NTP): Having the correct time within networks is
important. Correct timestamps accurately track network events such as security
violations. Additionally, clock synchronization is critical for the correct
interpretation of events within syslog data files as well as for digital
certificates. Network Time Protocol (NTP) is a protocol that synchronizes network
computer system clocks. NTP allows network devices to synchronize their time
settings with an NTP server. Cybercriminals attack timeservers to disrupt secure
communication that depends on digital certificates and to hide attack information.
Use NTP Authentication to verify that the server is trusted. RIP calculates the
best route based on hop count, but cybercriminals can also target routers and the
RIP protocol. Such attacks on routing services can affect performance and
availability, some attacks can even result in traffic redirection. Use secure
services with authentication and implement system patching and updates to protect
routing services.)
3.3.2 Telnet, SSH and SCP:

Secure Shell (SSH) is a protocol that provides a secure (encrypted) remote
connection to a device. Telnet is an older protocol that uses unsecure plaintext
when authenticating a device (user name and password) and transmitting data. SSH
should be used rather than Telnet to manage connections, as it provides strong
encryption. SSH uses TCP port 22. Telnet uses TCP port 23. Secure copy (SCP)
securely transfers files between two remote systems. SCP uses SSH for data transfer
and authentication, ensuring the authenticity and confidentiality of the data in
transit.
Select the headings to take a closer look.

(* Wireshark Telnet capture: Cybercriminals monitor packets using Wireshark.
(imagen 3.3.2.a)
* Plaintext username and password capture: Cybercriminals capture the username and
password of the administrator from the plaintext Telnet session. (imagen 3.3.2.b)
* Wireshark SSH capture: The Wireshark view of an SSH session. Cybercriminals track
the session using the IP address of the administrator device. (imagen 3.3.2.c)
* Username and password encrypted: The session encrypts the username and password.
(imagen 3.3.2.d))
3.3.3 Secure Protocols:

Attackers can penetrate a network’s infrastructure through services, protocols and
open ports. Older protocols leave a network in a vulnerable position, so
cybersecurity professionals need to make sure current protocols are being used.
Select the headings to find out more about secure protocols.

(* Simple Network Management Protocol (SNMP): SNMP collects statistics from TCP/IP
devices to monitor network and computer equipment. SNMPv3 is the current standard —
it uses cryptography to prevent eavesdropping and make sure data hasn’t been
tampered with while in transit.
* HTTP: Hypertext Transfer Protocol (HTTP) provides basic web connectivity and uses
port 80. HTTP contains limited built-in security and is open to traffic monitoring
when transmitting content, leaving the user’s computer open to attack. Let’s see
how other protocols provide a more secure connection:
- Secure Sockets Layer (SSL) manages encryption by using an SSL handshake at the
beginning of a session to provide confidentiality.
- Transport Layer Security (TLS) prevents eavesdropping and tampering.
- SSL/TLS encrypts communication between the client and the server. Where it’s
used, the user will see HTTPS in the URL field of a browser instead of HTTP.
* FTP: File Transfer Protocol (FTP) transfers computer files between a client and a
server. In FTP, the client uses a plaintext username and password to connect. File
Transfer Protocol Source (FTPS) is more secure — it adds support for TLS and SSL to
prevent eavesdropping, tampering and forgery on exchanged messages.
* POP, IMAP and MIME: Email uses Post Office Protocol (POP), Internet Message
Access Protocol (IMAP) and Multipurpose Internet Mail Extensions (MIME) to attach
non-text data, such as an image or video, to an email message. To secure POP (port
110) or IMAP (port 143), use SSL/TLS to encrypt mail during transmission. The
Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol provides a secure
method of transmission. It sends digitally signed and encrypted messages that
provide authentication, message integrity and nonrepudiation.)
3.3.4 Securing @Apollo’s Network:

Can you identify which protocol is being used to govern communication between
devices on @Apollo’s network in the following examples?

(+ The Finance Team Lead is transferring a customer payment file to a colleague who
works from home (Secure copy (SCP).
+ A secretary in the new @Apollo office is sending an instant message about travel
arrangements to the Office Manager (Transport Layer Security (TLS)).
+ A learner is accessing an @Apollo remote Linux lab environment from a tablet
device (Secure Shell (SSH)).
Show feedback (That’s right.
- Secure Shell (SSH) provides a secure (encrypted) remote connection to a device.
- Secure copy (SCP) securely transfers files between two remote systems.
- Transport Layer Security (TLS) prevents eavesdropping and tampering.)
Next Up... Well done for completing this topic. You now know much more about the
services and protocols that can help harden your network. Securing your network
devices is a fundamental way of protecting your network from cyberattack. This is
what we are going to look into next.
3.4 Network Hardening: Securing Network Devices
Remember, any weakness in device management or configuration can leave your network
vulnerable to attack. There are many ways to reduce vulnerabilities and keep your
network safe from today’s ever-evolving cyber threats.
3.4.1 Switches, Routers and Network Appliances:

The first step is to secure your main network components.
Select the images to learn more.

(* Switch: Network switches are the heart of the modern data communication network.
The main threats to network switches are: Theft, Hacking and remote access, Attacks
against network protocols like ARP/STP, Attacks against performance and
availability.
Several countermeasures and controls can protect network switches — including
improved physical security, advanced configuration and implementing proper system
updates and patches as needed. Implementing port security is another effective
control. Port security limits the number of valid MAC addresses allowed to connect
on a port. The switch allows access to devices with legitimate MAC addresses while
it denies other addresses.
* Firewalls: A firewall filters unauthorized or potentially dangerous traffic from
entering the network. We outline different firewalls below. Firewalls are a common
target of hackers. The main threats to firewalls are: Theft, Hacking and remote
access, Attacks against ACLs, Attacks against performance and availability.
Several countermeasures and controls can protect firewalls including improved
physical security, advanced configuration, secure remote access and authentication
and proper system updates and patches as needed.
* Unified Threat Management (UTM) appliance: A UTM can be connected to the main
network to provide maximum security against all incoming viruses. A UTM appliance
carries out a diverse range of functions. It: Balances the load in a network,
Prevents data leaks that might occur, Provides a gateway antivirus solution,
Provides network intrusion prevention and on-appliance reporting.
* Routers: Routers form the backbone of the Internet and communications between
different networks. Routers communicate to identify the best possible path to
deliver traffic to different networks, using routing protocols to make decisions.
Routers can integrate other services like switching and firewall capabilities. The
main threats to network routers include: Theft, Hacking and remote access, Attacks
against routing protocols, Attacks against performance and availability.
Countermeasures and controls to protect network routers include improved physical
security, advanced configuration, use of secure routing protocols with
authentication and applying system updates and patches as needed.)
Organizations can choose between several different types of firewall.

- A stateless firewall provides basic traffic filtering capabilities using access
control lists (ACLs). Administrators use ACLs to stop traffic or permit only
specified traffic on their networks. An ACL is a sequential list of permit or deny
statements that apply to addresses or protocols.
- A stateful firewall inspects traffic leaving the network and monitors the
establishment of a stateful connection. Traffic associated with the established
(stateful) connection is then permitted.
- A content-filtering firewall works by specifying content patterns (text strings
or objects within images) that, if matched, indicate undesirable content that is to
be screened out.
- A web application firewall (WAF) filters, monitors and blocks HTTP traffic to and
from a web service.
- A next-generation firewall (NGFW) combines a traditional firewall with other
network device filtering functions, such as an application firewall using in-line
deep packet inspection to examine the actual data within the packets transmitted.
3.4.2 Configure Your Firewall

Guru has asked you to carry out some research on firewalls to ensure you implement
the right ones at the new @Apollo office. Can you identify each type of firewall
from the descriptions below?

+This firewall inspects traffic leaving the network and monitors the establishment
of a connection. Traffic associated with the established connection is then
permitted. (Stateful firewall).
+ This firewall provides basic traffic filtering capabilities using access control
lists (ACLs). Use this to stop network traffic or permit only specified traffic on
the network. (Stateless firewall).
+ This firewall works by specifying content patterns (text strings or objects
within images) as undesirable content that is to be screened out. (Content-
filtering firewall).
+ This firewall combines a traditional firewall with other network device filtering
functions. (Next-generation firewall (NGFW)).
+ This firewall filters, monitors and blocks HTTP traffic to and from a web
service. (Web application firewall (WAF)).
Show feedback (That’s right!
- A stateless firewall provides basic traffic filtering capabilities using access
control lists (ACLs). Use this to stop network traffic or permit only specified
traffic on the network.
- A stateful firewall inspects traffic leaving the network and monitors the
establishment of a connection. Traffic associated with the established connection
is then permitted.
- A content-filtering firewall works by specifying content patterns (text strings
or objects within images) as undesirable content that is to be screened out.
- A web application firewall (WAF) filters, monitors and blocks HTTP traffic to and
from a web service.
- A next-generation firewall (NGFW) combines a traditional firewall with other
network device filtering functions.)
Firewalls are a common target of hackers. Threats include theft, hacking and remote
access, attacks against ACLs or attacks against performance and availability.
Several countermeasures and controls can protect firewalls, including improved
physical security, advanced configuration, secure remote access and authentication
and installing system updates and patches as needed.
3.4.3 Intrusion Detection Systems:

Intrusion Detection Systems (IDSs) passively monitor the traffic on a network to
identify threats. An IDS-enabled device copies network traffic and analyzes the
copy rather than the actual forwarded packets.

(* How does an IDS work? Working offline, an IDS compares network traffic with
known malicious signatures, similar to software that checks for viruses. Working
offline means several things: The IDS works passively. The IDS device is physically
positioned in the network so that traffic must be mirrored to reach it. Network
traffic does not reach the IDS — only copies of it that are mirrored. An IDS is
passive and operates in promiscuous mode, meaning it monitors and reports on
traffic but does not take any action.
* Advantages of an IDS: The advantage of operating with a copy of the traffic is
that the IDS does not negatively affect the packet flow of the forwarded traffic.
* Disadvantages of an IDS: The disadvantage of operating on a copy of the traffic
is that the IDS cannot stop malicious single-packet attacks from reaching their
target before it responds to the threat. An IDS often requires assistance from
other networking devices, such as routers and firewalls, to respond to an attack.)
A better solution is to use a device that can immediately detect and stop an
attack. An Intrusion Prevention System (IPS) performs this function. Let’s take a
closer look.
3.4.4 Intrusion Prevention Systems:

An IPS builds on IDS technology but works inline, within the data stream. This
means that all traffic must flow through it for processing. Unlike IDS, an IPS does
not allow packets to enter the trusted side of the network unless it has analyzed
them first. An IPS can detect and immediately address a network problem.

(* How does an IPS work? An IPS monitors network traffic and analyzes packets for
malicious activities. Some systems use a blend of detection technologies, including
signature-based, profile-based and protocol analysis-based intrusion detection.
This deeper analysis enables the IPS to identify, stop and block attacks that would
have passed through a traditional firewall. When a packet comes through an
interface on an IPS, the outbound or trusted interface does not receive that packet
until the IPS analyzes it and signals it can go through.
* Advantages of an IPS: The advantage of operating in inline mode is that the IPS
can stop single-packet attacks from reaching the target system.
* Disadvantage of IPS: The disadvantage of this technology is that a poorly
configured IPS can negatively affect the packet flow of the forwarded traffic.
* Differences between IDS and IPS: The biggest difference between IDS and IPS is
that an IPS responds immediately and blocks malicious traffic, whereas an IDS
allows malicious traffic to pass before addressing the problem.)
3.4.5 NetFlow and IPFIX:

NetFlow is a Cisco IOS technology that provides statistics on packets flowing
through a Cisco router or multilayer switch. NetFlow is the standard for collecting
operational data from networks. The Internet Engineering Task Force (IETF) used
Cisco’s NetFlow Version 9 as the basis for IP Flow Information Export (IPFIX).
Select the image to learn more about how IPFIX works. (imagen 3.4.5.a)
(IPFIX is a standard format for exporting router-based information about network
traffic flows to data collection devices. IPFIX works on routers and management
applications that support the protocol. Network managers can use this information
to optimize network performance.
Collecting, storing and analyzing information from IPFIX-supported devices helps:
- Secure the network against internal and external threats.
- Troubleshoot network failures quickly and precisely.
- Analyze network flows for capacity planning.)
3.4.6 Network Access Control:

Network Access Control (NAC) is a networking solution that protects a private
network from unauthorized users and devices. NAC only allows authorized users with
security-compliant systems to access the network. For example, a laptop that is
part of a home wireless network may not be allowed to connect remotely to the
office network. NAC evaluates every incoming device against the policies of the
network, proceeding to quarantine and remediate non-compliant systems. A NAC
framework can use the existing network infrastructure and third-party software to
enforce security-policy compliance for all devices. A NAC appliance controls
network access, evaluates compliance and enforces security policy. A common NAC
systems checklist includes:
- Updated virus detection.
- Operating systems patches and updates.
- Complex password enforcement.
3.4.7 IDS vs IPS:

You are reviewing the security of @Apollo's network protectcion and are considering
whether it's best to use an IDS or an IPS solution. Can you identify which of these
statements relates to an IDS and which relates to an IPS? Select Start to begin.
Show feedback (10/10).
Next Up... You now know more about how to secure your organization’s network
devices. Data security is extremely important, particularly when you are sending it
over the Internet. Virtual private networks (VPNs) can provide protection when
exchanging data online.
3.5 Network Hardening: VPNs
A Virtual Private Network (VPN) is a private network that uses a public network
such as the Internet to create a secure communication channel.
3.5.1 VPN Architecture:

A VPN can be site-to-site. This means that the organization can communicate via a
wide-area network (WAN) with a regional branch, or over the Internet via a private
network (VPN) with a remote employee or business partner. Remote-access VPNs allow
remote workers to access the corporate network in a safer manner using a VPN client
installed on their device. VPN traffic must be authenticated and encrypted to make
sure it is private and secure. All VPN endpoints must use the same security
parameters. Each VPN uses a tunnel with encryption key sets to exchange content in
a secure manner. Finally, protocols must ensure that no third party can affect VPN
security. L2TP is an older protocol and doesn’t provide encryption for data that is
tunneled. It has been replaced by IPSec and SSL/TLS VPNs.
3.5.2 IPsec:
VPNs use IPsec, a suite of protocols developed to achieve secure services over
networks. IPsec services allow for authentication, integrity, access control and
confidentiality. With IPsec, remote sites can exchange encrypted and verified
information. There are two security protocols from which to choose. AH provides
authentication and integrity by hashing the IP header and data payload. (imagen
3.5.2.a) ESP provides confidentiality by encrypting the entire data payload. ESP
also provides authentication and integrity. (imagen 3.5.2.b)
AH and ESP can be used in two different modes: transport mode and tunnel mode.
Transport mode only encrypts the transport layer of the OSI model, meaning the
original IP address of the packet remains in plaintext. Tunnel mode encrypts the
entire original IP packet.
3.5.3 VPN Solutions:

Let’s take a look at different VPN solutions and how they are set up.

(* Establishing a connection: If they intend to use an IPsec VPN, users install a
VPN client on their computers to securely connect with the corporate private
network. The VPN client software encrypts data before sending it over the Internet
to the VPN gateway at the network. Today’s workforce is increasingly mobile, so
organizations are replacing the IPsec VPN with SSL/TLS VPNs. These provide an
always-on solution so that you automatically establish a VPN connection when you
connect to the Internet.
* Full tunnel VPN: When using a VPN, there are two types of traffic:
- Traffic going to and from your organization.
- Traffic generated by web activity such as browsing or streaming a movie.
The SSL VPN is a full tunnel VPN because all traffic is transferred through the
organization. This means that all work functions as well as web activity goes
through the organization’s network before it reaches the user.
* A split tunnel VPN lets you route traffic into:
- Traffic that goes to and from your organization.
- Other traffic that goes to and from the Internet.
Split-tunneling lets you perform work functions via the organization’s network,
while web activity reaches the user from the Internet directly and does not go
through the organization’s VPN.
* Remote access: Another option is an HTML5-based solution for remote access, which
uses a web browser as a client — it does not require Java or any other plug-in to
work.)
3.5.4 What’s the Problem?

Guru needs your help. A remote team member working from her home office is
complaining that public web pages and video streaming on the Internet are running
slow. What is the most likely type of VPN she is on?
Select the correct answer, then Submit. (A full VPN tunnel)

This team member is using a full tunnel VPN. This means everything is passing
through the VPN tunnel, even traffic to public Internet services like Gmail and
Netflix, which can slow things down.)
3.5.5 Configure VPN for Remote Access

In this Packet Tracer, you will learn how to: Establish a remote access VPN.
Capture and examine network traffic.
Now, get a real-world, hands-on experience by downloading the Packet Tracer file on
3.5.5 Packet Tracer - Configure VPN for Remote Access.pka and the 3.5.5 Packet
Tracer - Configure VPN for Remote Access - Answer Key.pdf for instructions.
Next Up... After looking at VPNs, we will see how one way of improving network
performance and security is to divide it into smaller parts.
3.6 Network Hardening: Segmentation
Segmentation involves dividing a computer network into smaller parts to improve

network performance and security. Let’s see how we can use this in @Apollo.
3.6.1 Virtual Local Area Networks (VLANs):

The @Apollo HR Manager is worried about protecting sensitive information about
personnel that is stored on the network. Guru suggests using a virtual local area
network, a VLAN, to segment the network and create a secure area for the sensitive
data.
Select the arrows to learn how this would work.

(* Devices are grouped: (imagen 3.6.1.a) VLANs provide a way to group devices
within a local area network (LAN) and on individual switches. VLANs are not the
same as LANs: virtual LANs are based on logical connections, while LANs are based
on physical connections. Individual ports on a switch can be assigned to a specific
VLAN. Other ports can be used to physically interconnect switches and allow
multiple VLAN traffic between switches. These ports are called trunks.
* The network is segmented: (imagen 3.6.1.b) VLANs allow an administrator to
segment a network based on factors such as function, project team or application.
Devices within a VLAN act as if they are in their own independent network, even
though they share a common infrastructure with other VLANs on the same LAN. A VLAN
can separate groups of devices that host sensitive data from the rest of the
network, decreasing the chances of confidential information breaches — in our
example, the HR department looking to protect sensitive data. Trunks allow
individuals on the HR VLAN to be physically connected to multiple switches.
* Data is protected: (imagen 3.6.1.c) VLANs provide a way to limit broadcast
traffic in a switched network. But beware, cybercriminals can attack VLAN
performance and availability. To protect the VLAN, monitor its performance, use
advanced configurations and regularly install patches and updates.)
3.6.2 The Demilitarized Zone (DMZ):

A demilitarized zone (DMZ) is a small network between a trusted private network and
the Internet.
Select the headings to find out how a DMZ works.

(* Access to untrusted networks: Web servers and mail servers are usually placed
within the DMZ to allow users to access an untrusted network, such as the Internet,
without compromising the internal network.
* Zones of risk: Most networks have two to four zones of risk: the trusted private
LAN, the DMZ, the Internet and an extranet.
- Within the LAN zone, the risk level is low, and the trust level is high.
- Within the extranet zone, the risk level is medium-low, and the trust level
medium-high.
- Within the DMZ, the risk level is medium-high, and the trust level is medium-low.
- Within the Internet zone, the risk level is high, and the trust level is low.
* Zero Trust model: Firewalls manage east-west traffic (traffic that goes between
servers within the organization’s data center) and north-south traffic (data moving
into and out of the organization’s network). To protect its network, an
organization can implement a Zero Trust model. Automatically trusting users and
endpoints within the organization can put any network at risk, as trusted users can
move throughout the network to access data. Zero Trust networking constantly
monitors all users on the network regardless of their status or role.
3.6.3 Managing Threats to the LAN:

You are working to secure @Apollo’s network. Can you identify the countermeasures
to put in place to manage the following cybersecurity threats?
Unauthorized access to systems, applications and data (Define strict access control
policies, standards, procedures and guidelines.)
Unauthorized LAN access (Secure wiring closets, data centers and computer rooms.
Deny access to anyone without the proper credentials.)
Exploits of data in transit (Implement encryption between devices and wireless
networks.)
Network operating system software vulnerabilities (Implement policy to patch and
update operating systems.)
Unauthorized access by rogue users (Require passphrases or authentication for
wireless networks.)
Unauthorized network probing and port scanning (Conduct post-configuration
penetration tests.)

Organizations can implement the following countermeasures to manage threats to
their LAN:
- Unauthorized LAN access: Secure wiring closets, data centers and computer rooms.
Deny access to anyone without the proper credentials.
- Unauthorized access to systems, applications and data: Define strict access
control policies, standards, procedures and guidelines.
- Network operating system software vulnerabilities: Implement policy to patch and
update operating systems.
- Unauthorized access by rogue users: Require passphrases or authentication for
wireless networks.
- Exploits of data in transit: Implement encryption between devices and wireless
networks.
Unauthorized network probing and port scanning: Conduct post-configuration
penetration tests.)
Next Up... Wireless and mobile devices introduce additional security risks. Let’s
look at what you can do to manage these.
3.7 Hardening Wireless and Mobile Devices
Your office network is likely to include a wide range of wireless devices, from
cell phones and computers to routers and IP cameras. Protecting your wireless
devices and networks from cyber threats should be a chief concern. Use security
protocols and device protections to stay ahead of the game when it comes to
wireless device security.
3.7.1 Wireless Device Security:

Wired Equivalent Privacy (WEP) was the first security protocol used for wireless
networks. This was replaced by Wi-Fi Protected Access (WPA), which improved the
security of wireless connections.
Select the headings to find out more about the introduction and evolution of WPA.
(* WPA configuration: Wi-Fi Protected Access (WPA) was the computer industry’s
response to the weaknesses of the WEP standard. WPA-PSK (Pre-Shared Key) is the
most common WPA configuration. The keys used by WPA are 256-bit, a significant
increase over the 64-bit and 128-bit keys used in the WEP system.
* WPA features: The WPA standard provided several security improvements. First, WPA
provided message integrity checks (MIC), which could detect if an attacker had
captured and altered data passed between the wireless access point and a wireless
client. Another key security enhancement was Temporal Key Integrity Protocol
(TKIP). The TKIP standard helped to better handle, protect and change encryption
keys. Advanced Encryption Standard (AES) superseded TKIP, for even better key
management and encryption protection.
* WPA2 (Wi-Fi Protected Access II): The Wi-Fi Protected Access II (WPA2) standard
was released in 2006. This introduced the mandatory use of AES algorithms and
replaced TKIP with the Counter Cipher Mode with Block Chaining Message
Authentication Code Protocol (CCMP).
* WPA3 (Wi-Fi Protected Access III): WPA3 added more features to WPA2 such as
maintaining strong cryptographic algorithms and improving key exchange.
* Wi-Fi Protected Setup (WPS): Wi-Fi Protected Setup (WPS) can be used to set up a
secure wireless home network. A PIN code is used to connect devices to the wireless
network. However, WPS poses a major security vulnerability, as the user’s PIN can
be discovered through brute-force attack. Due to this, WPS should not be used and
should be disabled altogether.)
3.7.2 Configure Wireless Router Hardening and Security:

In this Packet Tracer, you will learn how to:
- Configure basic security settings for a wireless router.
- Configure wireless router network security.
- Configure wireless clients network security.
- Verify connectivity and security settings.
Press the play button to view this short demo video. (Play Video)
Now, get a real-world, hands-on experience by downloading the Packet Tracer file on
3.7.2 Packet Tracer - Configure Wireless Router Hardening and Security.pka and the
3.7.2 Packet Tracer - Configure Wireless Router Hardening and Security - Answer
Key.pdf for instructions.
3.7.3 Authentication:
Wireless devices have become predominant on most modern networks. They provide
mobility and convenience but are vulnerable to a range of cybersecurity issues.
They are open to theft, hacking and unauthorized remote access, sniffing, man-in-
the-middle attacks, as well as attacks against performance and availability. The
best way to secure a wireless network is to use authentication and encryption. The
original wireless standard, 801.11, introduced two types of authentication.
Select the images to learn more.

(* Open system authentication: Any wireless device can connect to the wireless
network. Use this method in situations where security is of no concern.
* Shared key authentication: Provides mechanisms to authenticate and encrypt data
between a wireless client and AP or wireless router.)
3.7.4 Authentication Protocols:

The Extensible Authentication Protocol (EAP) is an authentication framework used in
wireless networks. Let’s find out how it works.
- The user requests to connect to the wireless network through an access point.
- The access point requests identification data (username) from the user, which is
then sent to an authentication server.
- The authentication server requests proof that the ID is valid.
- The access point requests proof that the ID is valid from the user, in the form
of a password.
- The user supplies the access point with their password. The access point sends
this back to the authentication server.
- The server confirms the username and password are correct, and passes this
information on to the access point and user.
- The user connects to the wireless network.
Select the headings below to compare four protocols used with EAP to provide
authentication for wireless networks.
(* EAP-TLS: Requires Client Certificate: Yes / Requires Server Certificate: Yes /
Easily Deployed: Difficult / Security: High.
* PEAP: Requires Client Certificate: No / Requires Server Certificate: Yes / Easily
Deployed: Moderate / Security: Medium.
* EAP-TTLS: Requires Client Certificate: No / Requires Server Certificate: Yes /
Easily Deployed: Moderate / Security: Medium.
* EAP-FAST: Requires Client Certificate: No / Requires Server Certificate: No /
Easily Deployed: Easy / Security: Medium.
3.7.5 What Are Your Options?

You have set up a wireless network device in the office for @Apollo employees. What
is the best way to secure this?
Select the correct answer, then Submit. (Use WPA2 with EAP authentication)
It’s best to use WPA2 with EAP authentication to secure the wireless device. Using
this approach, you can define a unique username/password combination (or deploy
unique client certificates) for each user on the wireless network. If a user leaves
the organization, their wireless access can be dropped by deleting their
credentials from the authentication system.)
3.7.6 Mutual Authentication:Your wireless network and its sensitive data are
susceptible to unauthorized access by hackers using a wireless connection. But what
can you do to prevent an attack?

(* Rogue access points: An access point is any hardware device that enables other
wireless devices to connect to a wired network. Any device that has a wireless
transmitter and hardwired interface to a network can potentially act as a rogue or
unauthorized access point. The rogue access point will often imitate an authorized
access point, allowing users to connect to the wireless network but potentially
stealing their data or conducting other nefarious activity in the process.
* Preventing attacks: When you connect to a rogue access point, the imposter who
set it up can request and copy data from your device. This type of man-in-the-
middle attack is very difficult to detect and can result in stolen login details
and data. Mutual authentication is two-way authentication that can prevent rogue
access points. It is a process in which both entities in a communications link
authenticate each other before they connect. This enables clients to detect rogue
access points and prevent such MitM attacks.)
Mobile devices use cellular communications to connect to a service provider.

Wireless providers use IP-based 5G LTE networks to access the Internet and other
data services, for example.
3.7.7 Communication Methods:

Let’s take a closer look at how mobile devices connect and communicate.
Select the images below to learn more.

(* Wi-Fi and Bluetooth: Mobile devices can use wireless signals such as Wi-Fi and
Bluetooth. You can configure wireless access through the device’s settings menu.
Bluetooth is commonly used to connect headphones or to pair a phone with a car
sound system.
* Near-field communication: Near-field communication (NFC) allows contactless
communication between devices. NFC chips use electromagnetic fields to enable
contactless payments, meaning, for instance, that you simply need to hold your
device close to a payment terminal to process payment.
* Infrared: Infrared (IR) provides short-range communication using an IR receiver.
For example, IR allows you to control your television through your cell phone.
* USB communication: The only type of communication on this list that is wired, USB
communication allows you to use your smartphone for data or audio storage. USB
connectivity also allows a mobile device to function as a modem or fax. You can
connect a mobile device to forensic acquisition devices via the USB port if you
need to gather information for an investigation.)
3.7.8 Mobile Device Management:

A mobile device issued by an organization can contain both personal and
organizational data — it can be either corporate-owned or corporate-owned
personally enabled (COPE). An organization may also have a bring-your-own-device
(BYOD) option. Security and data protection policies need to be applied when there
is sensitive corporate information on a user’s device.
Select the arrows below to look at some of the ways to manage mobile devices.
(* Storage segmentation and containerization: Storage segmentation and
containerization allow you to separate personal and work content on a device. It
provides an authenticated, encrypted area that separates sensitive company
information from the user’s personal data.
Containerization also enables us to:
- Isolate apps.
- Control app functions.
- Delete container information.
- Remotely wipe the device.
* Content management: An organization needs to consider the security risks involved
in using applications that share data — for example, Dropbox, Box, Google Drive and
iCloud. An identity-management security system can be used to control what data a
user can access.
* Application management: Whitelisting allows you to digitally sign applications so
that you can authorize which applications users can install. This helps to ensure
that installed applications come from a trusted source. Authentication using strong
passwords is a best practice for those applications that require user credentials.
3.7.9 Mobile Device Protections:

Whether a mobile device is owned by the organization or is a personal device used
for work, measures need to be put in place to keep it safe from cyber threats.
Select the arrows below to learn more.

(* What are the risks? Threats to mobile devices include:
- Theft.
- Loss.
- Unauthorized access.
- Operating system risks.
- Application risks.
- Network risks.
* Jailbreaking, rooting and sideloading: Jailbreaking, rooting and sideloading are
ways of bypassing a device’s limitations to do things that the device is restricted
from doing. Users may try to jailbreak (Apple devices) or root (Android devices)
their device to run an app that is not authorized or available in the store.
Jailbreaking removes the restriction that only Apple-authorized apps may run on the
device. Rooting bypasses Android’s security architecture to allow complete,
administrative access to the device. Both pose a risk to the organization.
Solutions are available that can detect a jailbroken or rooted device. A device is
then marked as noncompliant and removed from the network or denied access to
organizational apps. Third-party app stores can also pose a risk for organizations
because the apps they provide access to have not been evaluated properly.
Sideloading occurs when the user goes around the approved app settings to install
unapproved apps. This is less invasive than jailbreaking or rooting, but it is
still a risk.
* What are the safeguards? Safeguards against mobile device threats include the
following:
- Screen locks require a password, PIN or pattern to access the device.
- Biometric authentication uses a unique physical characteristic (fingerprint,
face, iris or voice).
- Context-aware authentication uses machine learning to determine access based on a
user’s normal behavior.
- Remote wiping deletes the device’s data should the device be stolen or lost.
- Full device encryption can encrypt all data on a mobile device.)
3.7.10 GPS Tracking:

Global Positioning System (GPS) uses satellites and computers to determine the
location of a device. GPS technology is a standard feature on smartphones and
provides real-time position tracking that can pinpoint a location to within 100
meters. Many cell phone apps use GPS tracking to track the phone’s location. For
example, Facebook allows users to check in to a location, which is then visible to
people in their networks. Some apps use geofencing or geolocation, which use radio-
frequency identification (RFID) to determine a geographic area instead. Push
notifications sometimes use geolocation and geofencing too. This enables local
organizations to ‘push’ advertising messages based on a user’s location settings.
Unfortunately, increasingly savvy cyber attackers have started using push
notifications to capture data.
3.7.11 Bring Your Own Device:

Guru informs you that @Apollo is looking to implement a BYOD policy for mobile
devices. Take a look at some snippets from the policy and see if you can fill in
the blanks to ensure its accuracy.
Select the correct option to complete each sentence from the dropdown, then Submit.
In order to prevent (unauthorized) access, devices must be password protected using
the features of the device.
(A strong password) is required to access the network.
Employee (can) automatically download, install and use any app that appears on the
list of approved apps.
Smartphones and tablets that are not on the list of supported devices (are not)
allowed to connect to the network.
Employees’ access to company data is (limited) based on user profiles defined by
IT, and automatically enforced.
The organization can use (remote wiping) to delete the device’s data should the
device be stolen or lost.
Show feedback (That’s right.
In order to prevent unauthorized access, devices must be password protected using
the features of the device. A strong password is required to access the network.
Employees can automatically download, install and use any app that appears on the
list of approved apps. Smartphones and tablets that are not on the list of
supported devices are not allowed to connect to the network. Employees’ access to
company data is limited based on user profiles defined by IT and automatically
enforced. The organization can use remote wiping to delete the device’s data should
the device be stolen or lost.)
Summary
This module has demonstrated the many technologies, processes and procedures that
cybersecurity professionals use to defend the systems, devices and data that make
up a network infrastructure. But with cybercriminals constantly coming up with new
ways to spot and exploit vulnerabilities, we have to stay one step ahead. It’s time
to move on to the next module, where we will look at what you can do to defend an
organization. But before moving on, let’s check your knowledge with a short quiz.
3.8 Quiz (80%; 100%)
4. Defending the Enterprise
4.1 Embedded and Specialized Systems

To better understand the security needs of an organization like @Apollo, we first
need to look at the bigger picture… Industry sectors such as manufacturing, energy,
communication and transportation make up critical network infrastructure systems.
Protecting these is central to protecting a country’s economy. Let’s look at how
cyber attackers can target these systems and what can be done to prevent such
attacks.
4.1.1 Threats to Key Industry Sectors:

Over the last decade, cyber attacks like Stuxnet proved that malware attacks could
successfully destroy or interrupt critical infrastructures. The Stuxnet worm
targeted Supervisory Control And Data Acquisition (SCADA) systems used to control
and monitor industrial processes. SCADA and other Industrial Control Systems (ICSs)
are used in manufacturing, production, energy and communications systems. How can
cyber attacks like these impact industry sectors and what action can be taken to
prevent such attacks from occurring?
Select the image to find out.

(A cyber attack like this could bring down or interrupt vital facilities like
telecommunications, transportation systems or electrical power plants. It could
also interrupt the financial services sector.
Environments that use SCADA are vulnerable. When the SCADA architecture was first
being developed, designers did not connect it to the traditional IT environment and
the Internet. Therefore, they did not properly consider cybersecurity during the
development phase of these systems.
Now, however, organizations using SCADA systems recognize the value of data
collection to improve operations and decrease costs. The resulting trend is to
connect SCADA systems to the wider online IT infrastructure of the organization.
This increases the vulnerability of industries using SCADA systems.
To prevent attacks on these systems, you should segregate internal and external
networks to separate the SCADA network from the organization’s LAN.)
4.1.2 The Emergence of the Internet of Things

The Internet of Things (IoT) is the collection of technologies that enable various
devices to connect to the Internet. The technological evolution associated with IoT
is changing commercial and consumer environments.
IoT technologies enable people to connect billions of devices, such as cars,
industrial machines, robots, appliances, locks, motors and entertainment devices,
to name just a few. This technology affects the amount of data that needs to be
protected. As users need to access these devices remotely, they are placed online,
which increases the number of potential entry points to that local network in
general.
Moreover, with the emergence of IoT, there is much more data to be managed and
secured. All these devices, plus the expanded storage capacity and storage services
offered through the cloud and virtualization, have led to the exponential growth of
data. This data expansion created a new area of interest in technology and business
called ‘Big Data.’
4.1.3 Embedded Systems

Embedded systems capture, store and access data. They pose unique security
challenges due to their widespread adoption by both the corporate and the consumer
world. They are used in smart TVs, HVAC control systems, medical devices and even
automobiles.
Select each heading below for some advice.

* Why are embedded systems vulnerable to attack? Attacks against embedded systems
exploit security vulnerabilities in the software and hardware components. They are
susceptible to timing attacks, whereby attackers discover vulnerabilities by
studying how long it takes the system to respond to different inputs. A timing
attack is considered a side-channel attack.
This type of attack is based on information gained from the implementation of a
system, rather than on weaknesses in the software. Timing information, power
consumption, electromagnetic leaks or even sound can be that source of information.
* How can embedded systems be protected? One technique is to use System on Chip
(SoC) technology. SoC technology is a Small Form Factor (SFF) hardware module —
customer-grade examples include devices such as Raspberry Pi and Arduino. These
devices are single-board computers that can be implemented using a Field-
Programmable Gate Array (FGPA), an integrated circuit that can be programmed or
modified in the field. This means that the user can make changes after deploying
the device.
These devices have good processing power delivered in a small footprint. This
reduces power consumption, lowers cost and offers better performance than
traditional, larger components. SoC integrates a microcontroller, an application or
microprocessor, and peripherals such as a GPU, a Wi-Fi module or a coprocessor. The
processor can run an operating system such as Windows, Linux or Android.
Many of these SoC devices have poor authentication and/or they cannot be upgraded
or patched. Due to the nature of these devices, a level of implied trust is
necessary since there is no formal program in place to verify security controls.
4.1.4 The Internet of Things (IoT)

associated text.
The deployment and use of intelligent devices and sensors is one of the fastest
growing sectors of information technology. The computer industry brands this sector
as the Internet of Things (IoT).
Businesses and consumers use IoT devices to automate processes, monitor
environmental conditions and alert the user of adverse conditions. Most IoT devices
connect to a network via wireless technology. These include cameras, door locks,
proximity sensors, lights, and other sensors used to collect information about an
environment or the status of a device. Some manufacturers use IoT sensors to inform
users that parts need to be replaced, components are failing or supplies are
running out.
Select the image to learn how to secure IoT devices.

(Organizations use IoT devices to track inventory, vehicles and personnel. IoT
devices contain geospatial sensors. A user can globally locate, monitor and control
environmental variables such as temperature, humidity and lighting. IoT
applications use a Real-Time Operating System (RTOS), a small operating system that
allows for the rapid switching of tasks that focus on timing rather than
throughput. These applications run with precise timing and high reliability. RTOS
technology is found in wearables, medical devices, in-vehicle systems and home
automation devices.
The IoT industry poses a tremendous challenge to information security professionals
because many IoT devices capture and transmit sensitive information.
Vulnerabilities associated with RTOS include code injection, DoS attacks and
priority inversion (where a higher priority task is pre-empted by a lower priority
task).)
Using an IoT scanner such as Shodan is an easy way to tell whether a home
automation device is vulnerable to attack. IoT devices communicate using short-
range, medium-range or long-range methods and include cellular (4G, 5G), radio and
Zigbee. Zigbee is a wireless set of protocols for Wireless Personal Area Networks
(WPANs).
To secure IoT devices:
- Secure the wireless network.
- Know exactly which devices are communicating on your network.
- Know what each of the IoT devices on your network does.
- Install security software on devices where possible.
- Secure smartphones and mobile apps used to communicate with IoT devices.
Remote workers and teams at different @Apollo offices use Voice over IP (VoIP) to
keep in touch, hold virtual team meetings and even meet with customers. But is this
a secure way of communicating? And what can we do to improve its security?
4.1.5 VoIP Equipment

VoIP uses the Internet to make and receive phone calls.
* What equipment do you need? You need an Internet connection and a phone for VoIP.
Several options are available for the phone set:
- A traditional phone with an adapter (the adapter acts as a hardware interface
between a traditional, analog phone and a digital VoIP line).
- A VoIP-enabled phone.
- VoIP software installed on a computer.
* Is VoIP secure? Most consumer VoIP services use the Internet for phone calls.
Many organizations, though, use their private networks because they provide
stronger security and service quality. VoIP security is only as reliable as the
underlying network security. Cybercriminals target these systems to gain access to
free phone services, to eavesdrop on phone calls, or to affect performance and
availability.
* How can you protect your VoIP service? Implement the following countermeasures to
secure VoIP:
- Encrypt voice message packets to protect against eavesdropping.
- Use SSH to protect gateways and switches.
- Change all default passwords.
- Use an intrusion detection system to detect attacks such as ARP poisoning.
- Use strong authentication to mitigate registration spoofing (cybercriminals
routing all incoming calls for the victim to themselves), proxy impersonating
(tricking the victim into communicating via a rogue proxy set up by the
cybercriminals), and call hijacking (intercepting and rerouting calls to a
different path before reaching their destination).
- Implement firewalls that recognize VoIP to monitor streams and filter abnormal
signals.
When using VoIP equipment, remember that when the network goes down, voice
communications will also go down.
4.1.6 Special-Purpose Embedded Systems

Embedded systems work in a variety of industries. You can find special-purpose
embedded devices in sectors such as the medical, automotive and aviation sectors.
Select the pin icons to learn more about how embedded systems work in these
sectors.
* Medical devices: Devices such as pacemakers, insulin pumps, medical implants and
defibrillators are capable of wireless connectivity, remote monitoring and Near-
Field Communication (NFC). Vulnerabilities in these medical devices can lead to
patient safety issues, medical record leaks or the risk of granting access to the
network to cybercriminals, who will move through it in search of a target.
* Automotive: In-vehicle systems produce and store the data necessary for the
operation of the vehicle along with its maintenance, safety protection and
emergency contact transmission. Typically, a wireless interface connects to the
Internet and to a diagnostic interface on board. Many vehicles record speed,
location and braking maneuvers, and can then send the collected data to the
driver’s insurance company.
Therefore, risks to in-vehicle communications include unauthorized tracking,
wireless jamming and spoofing. To secure in-vehicle systems, implement the
following countermeasures:
- Secure system software design practices.
- Basic encryption for all communication between controllers.
- Firewall implementation.
* Aviation: An aircraft has many embedded control systems such as its flight
control system and communication system. Security issues include the use of hard-
coded logon credentials, insecure protocols and backdoors.
In the same category, Unmanned Aerial Vehicles (UAVs), more commonly called drones,
have been used in military, agricultural and cartography applications, among
others. Drones are very useful for aerial photography, surveillance and surveying.
However, drones are susceptible to hijacking, Wi-Fi attacks, GPS spoofing attacks,
jamming and deauthentication attacks, which can allow an attacker to intercept or
disable a drone and access its data.
4.1.7 Deception Technologies

Organizations use deception technologies to distract attackers from production
networks. They also use them to learn an attacker’s methods and to warn of
potential attacks that could be launched against the network. Deception adds a fake
layer to the organization’s infrastructure.
Select the images for more information about two common tactics.
* Honeypots: A honeypot is a decoy system that is configured to mimic a server in
the organization’s network. It is purposefully left exposed, to lure attackers.
When an attacker goes after the honeypot, their activities are logged and monitored
for later review. The honeypot distracts the attacker from the organization’s real
network resources.
An organization might even create a honeynet, a collection of honeypots, to mimic
its network and distract attackers. Meanwhile, honeyfiles are dummy files that
attract an attacker but do not contain any real information.
* DNS Sinkholes: A DNS sinkhole prevents the resolution of hostnames for specified
URLs and can push users away from malicious resources.
Many organizations, like @Apollo, believe that their data is safe in a private
cloud. But there are still risks. Let’s see if you can help @Apollo manage these.
4.1.8 Managing Threats to the Private Cloud

Guru has identified some potential private cloud domain threats at @Apollo and has
asked you to identify countermeasures that could be implemented to manage them.
Can you identify the appropriate countermeasure for each of the threats?

* Remote user downloaded sensitive data (Implement file transfer monitoring and
scanning)
* Unauthorized access to resources (Implement intrusion detection and prevention
systems)
* Firewall configuration error(Test inbound and outbound traffic)
* Unauthorized network probing and port scanning (Disable ping, probing and port
scanning)
* Router operating system software vulnerability (Update device with security fixes
and patches).
(That’s right. You report back that @Apollo can implement a number of measures to
manage threats to the private cloud.
- Disable ping, probing, and port scanning.
- Implement intrusion detection and prevention systems.
- Monitor inbound IP traffic anomalies.
- Update devices with security fixes and patches.
- Conduct penetration tests post-configuration.
- Test inbound and outbound traffic.
- Implement a data classification standard.
- Implement file transfer monitoring and scanning for unknown file types.
You have helped secure @Apollo’s private cloud. Good work!)
Next Up... Virtualization benefits an organization by decreasing the number of

physical machines in the IT environment.
We’ll take a look at virtualization and cloud computing next.
4.2 Virtualization and Cloud Computing
Using virtual machines and cloud storage are just some of the ways an organization
like @Apollo can save time and money. It involves moving applications and storage
away from physical devices, to the digital realm.
But what are the security risks that arise from virtualization and how can we
manage them? Let’s find out.
4.2.1 The Virtual Environment

Virtualization benefits an organization by decreasing the number of physical
machines (e.g. servers and workstations) required in the IT environment.
Select the arrows to learn about the different elements that can make up a virtual
system.
* Virtual machines: A hypervisor is a software or hardware program that allows you
to run multiple independent operating systems on one physical system. It is a key
component of virtualization. There are two virtualization methods:
- Hardware virtualization (type 1 hypervisor) — the guest operating system runs
directly on a hardware platform, under the control of the host system.
- Hosted virtualization (type II hypervisor) — an application running on the host
machine is used to create virtual machines that consist entirely of software and
contain no hardware components.
Virtual machine environments use an operating system, so they need to be patched.
Virtual machines share hardware and run with very high privileges. Be aware that an
attacker that compromises a virtual machine may be able to compromise the host
machine. (image 4.2.1.a)
* Containers: Unlike a virtual machine, a container consists of just the

application and its dependencies. A container uses an engine for operating system
emulation. Docker is an open platform that uses OS-level virtualization to deliver
software in packages (containers). You can easily move containers around and the
application will run. Specialized software such as Kubernetes allows you to manage
your containers.
If a user or application has elevated privileges within a container, the underlying
operating system can be compromised. (image 4.2.1.b)
* Virtual Desktop Infrastructure (VDI): User desktop environments can be stored

remotely on a server using thin client or virtual desktops. This makes it very easy
to quickly create, delete, copy, archive or download configurations over a network.
Desktop virtualization requires high availability and storage capacity. (image
4.2.1.c)
Be aware that there are some disadvantages associated with virtual environments. VM
sprawl occurs when too many virtualized, underutilized servers use up more
resources and space than needed for the work they are doing. It’s also important to
protect against VM escape. This happens when the virtual machine breaks out and
interacts with the host operating system.
4.2.2 Cloud-Based Technology

Cloud-based technologies enable organizations like @Apollo to access computing,
storage, software and servers through the Internet. It moves the technology
component from the organization to the cloud provider.
Let’s recap from Module 1 the three main computing service models, which are
collectively known as XaaS (‘anything as a service’). Select the pin icons to learn
more.
- Software as a Service (SaaS) allows users to access application software and
databases. Cloud providers manage the infrastructure while users store data on the
cloud provider’s servers.
- Platform as a Service (PaaS) lets an organization remotely access the development
tools and services used to deliver such applications, on a subscription basis.
- Infrastructure as a Service (IaaS) provides virtualized computing resources over
the Internet. The provider hosts the hardware, software, servers and storage
components, and the user pays for a subscription to these resources.
4.2.3 Cloud Computing

Cloud computing classifications are based on how the service models are deployed.
Select the images below to find out more about the different methods.
* Private Cloud: Also called an internal, corporate or enterprise cloud, a private
cloud is hosted on a private platform. A private cloud offers an organization more
control over its data, but it may be more expensive than other cloud services due
to infrastructure, maintenance and administration costs.
* Public CLoud: A public cloud is hosted by a service provider at an offsite
facility. Users pay a monthly or yearly usage fee to access the cloud. This option
costs the organization less for infrastructure, maintenance and administration —
however, the organization has less control over its data.
* Hybrid Cloud: A hybrid cloud combines the private and public cloud by offering
control of organizational data, which is still hosted in a public cloud.
* Community Cloud: A community cloud is a collaborative effort in which more than
one organization share and use the same platform. This type of cloud is geared
toward the needs of an industry such as healthcare or energy.
The explosion of IoT devices has led to fog and edge computing.
Fog computing distributes computing between the device and the cloud data center.
It plays a critical role in applications where milliseconds matter, such as
autonomous vehicles, airlines and manufacturing applications.
In fog computing, data is processed within an IoT gateway, or fog node, which is
situated within the local area network. In edge computing, the data is processed on
the device or sensor without being transferred to a data center.
4.2.4 Managing Threats to the Public Cloud

Guru has asked for your help. There have been some threats to the public cloud used
by @Apollo. Can you identify some countermeasures that could be put in place to
address public cloud domain threats?

* A user has been tricked into giving access to a confidential cloud folder (Run a
security awareness program)
* Sensitive data has been lost from cloud storage (Back up data)
* Data stored on the cloud has been copied (Use encryption)
* There are credit card processing compliance violations (Put compliance policies
in place)
(That’s right. You have correctly identified countermeasures that can help manage
threats to the public domain.
Let’s take a closer look at how these and other countermeasures can help @Apollo.
- Multifactor authentication protects against data breaches, compromised login
credentials, use of federated identity repositories and account hijacking.
- Encryption protects against data breaches, loss or theft of data and compromised
login credentials.
- One-time passwords, phone-based authentication and smartcards protect against
data breaches, compromised login credentials and account hijacking.
- Distributing data and applications across multiple zones prevents data loss.
- Data backup procedures protect against loss or theft of data.
- Due diligence protects against loss or theft of data, lack of understanding on
the part of the organization and compliance violations.
- Security awareness programs protect against user errors, including social
engineering attacks that lure the victim.
Compliance policies protect against compliance violations.)
Next Up... Effective account management is critical in protecting sensitive

information, ensuring that users have access to resources on a ‘need to know’
basis. We will look at this in more detail next.
4.3 Account Management

The network administrator plays an important role in the security of the system.
They ensure that every user in the organization has an account type that is
appropriate to their role. This means users can only access and modify data on a
‘need to know’ basis, which helps manage security or compliance risks.
For example, @Apollo issues the following type of accounts:
• User account — used for day-to-day use of system resources.
• Service accounts — used for interaction with the operating system.
• Guest accounts — used for temporary users who might need to access installed
applications.
Scroll down to learn how proper management of accounts and permissions can help
secure sensitive information and resources.
4.3.1 Account Types

An organization should not share accounts for privileged users, administrators or
applications. The administrator account should only be used to administer a system.
If a user accesses a malware-infected website or opens a malicious email while
using the administrator account, this would put the organization at risk.
Administrators must be aware of the default group and user accounts that might be
installed by an operating system. Knowing about these accounts will help an
administrator decide which should be permitted and which of these accounts should
be disabled.
This is because default accounts such as the guest or administrator account can be
a security risk in older systems as attackers are familiar with the default
settings used. To improve security, always replace any default accounts and make
sure that all account types require a password.
Select the image to learn about good practices for account management.
It’s important to properly manage accounts to maintain security.
- On hiring a new employee, create an identity profile, register the employee’s
computer and mobile devices, and enable access to the organization’s network. As
the Identity Provider (IdP), the organization is responsible for authenticating
their identity.
- Disable or deactivate any accounts that are no longer needed and retrieve any
organizational data or applications from the user’s devices.
-Grant a user no more access than is necessary to perform assigned tasks (least
privilege).
- Review user access to identify any access control adjustments that need to be
made.
- Use time of day restrictions to control when a user can log in.
- Use location restrictions to control where a device or user can log in from.
• Geofencing is used to trigger an action when a user enters or exits a geographic
boundary.
• Geolocation identifies a device based on its geographic location.
• Geotagging adds an identifier to something based on the location (like a photo
taken on a smartphone tagged with the coordinates of where the photo was taken).
4.3.2 Privileged Accounts
Cybercriminals target privileged accounts. Why? Because these are the most powerful
accounts in the organization with elevated, unrestricted access to systems.
Administrators use these accounts to deploy and manage operating systems,
applications and network devices.
Organizations should adopt robust practices for securing privileged accounts.
- Identify and reduce the number of privileged accounts.

- Enforce the principle of least privilege. The principle means that users,
systems, and processes only have access to resources (networks, systems and files)
that are absolutely necessary to perform their assigned function.
- Revoke access rights when employees leave or change jobs.
- Eliminate shared accounts with passwords that do not expire.
- Secure password storage.
- Eliminate shared credentials for multiple administrators.
- Automatically change privileged account passwords every 30 or 60 days.
- Record privileged sessions.
- Implement a process to change embedded passwords for scripts and service
accounts.
- Log all user activity.
- Generate alerts for unusual behavior.
- Disable inactive privileged accounts.
- Use multi-factor authentication for all administrative access.
- Implement a gateway between the end user and sensitive assets to limit network
exposure to malware.
Continuously securing and locking down privileged accounts is critical to the

security of the organization. Regularly evaluate this process and make adjustments
to improve protection.
4.3.3 File Access Control

Let’s take a closer look at how permissions can help secure data.
Permissions are rules configured to limit folder or file access for an individual
or a group. Users should be limited to only the resources they need on a computer
system or network. For example, they should not be able to access all files on a
server if they only need access to a single folder. It may be easier to provide
access to the entire drive, but it is more secure to limit access to only the
folder they need. This is the principle of least privilege and closely connected to
the concept of ‘need to know’ access. Limiting access to resources also prevents
cybercriminals from accessing those resources if the user’s computer becomes
infected.
Select the headings to learn more about the permission levels that are available
for files and folders.
* Full control. Users can:

- See the contents of a file or folder.
- Change and delete existing files and folders.
- Create new files and folders.
- Run programs in a folder.
* Modify. Users can change and delete existing files and folders but cannot create
new ones.
* Read and execute. Users can see the contents of existing files and folders and
can run programs in a folder.
* Write. Users can create new files and folders and make changes to existing files
and folders.
* Read. Users can see the contents of a folder and open files and folders.
If an administrator denies an individual or group permissions to a network share,

this will override any other permission settings. For example, if the admiistrator
denies someone permission to a network share, the user cannot access that share,
even if the user is the administrator or part of the administrator group. The local
security policy must outline the resources and the type of access allowed for each
user and group.
After parent folder permissions have been set, folders and files created inside the
parent folder inherit its permissions. The location of data and the action
performed on it also determine the permission propagation:
- Data moved to the same volume will keep the original permissions.
- Data copied to the same volume will inherit new permissions.
- Data moved to a different volume will inherit new permissions.
- Data copied to a different volume will inherit new permission.
4.3.4 Do You Have Permission?

An @Apollo employee has asked for your advice. They want members of their team to
be able to view existing project documents in a shared folder. However, to keep
consistency in the files, they do not want them to be able to edit, create or
delete any documents in this folder. What permission level do you recommend that
they grant the team?

(Read and Execute.
That’s right! Changing the permission of the folder to read and execute will enable
members of the team to view project documents in the folder. It’s important to note
that when changing the permissions of a folder, you also have the option to apply
the same permissions to all subfolders. Called permission propagation, this is an
easy way to change the permissions of many files and folders quickly.)
4.3.5 Account Policies in Windows

In most networks that use Windows computers, an administrator configures Active
Directory with domains on a Windows server. Windows computers that join the domain
become domain members.
The administrator configures a domain security policy that applies to all domain
members. For example, account policies are automatically set when a user logs in to
Windows.
When a computer is not part of an Active Directory domain, the user configures
policies through Windows Local Security Policy. In all versions of Windows except
Home edition, enter ‘secpol.msc’ at the Run command to open the Local Security
Policy tool.
Select the arrows to find out more about configuring security policies.
* Password Policy: An administrator can configure user account policies such as
password policies and lockout policies.
In the example shown, users must change their passwords every 90 days and use each
new password for at least one day. Passwords must contain eight characters and
three of the following four categories: uppercase letters, lowercase letters,
numbers and symbols. Lastly, the user can reuse a password after 24 unique
passwords. This is just an example; different password policies can be set,
depending on organizational requirements and needs. (image depicting a 'Local
Security Policy' window)
* Account Lockout Policy: An account lockout policy locks an account for a set
duration when too many incorrect login attempts occur. For example, the policy
shown here allows the user to enter the wrong username and/or password five times.
After five attempts, the account locks users out for 30 minutes. After 30 minutes,
the number of attempts resets to zero and the user can attempt to log in again.
* Audit Policies
More security settings are available by selecting the ‘local policies’ folder in
Windows. An audit policy creates a security log file used to track the following
events: Account logon events; Audit account management; Directory service Access;
Object Access; Policy changes; Privilege use; Process tracking; System events.
4.3.6 Authentication Management

Authentication and authorization issues include unencrypted credentials, incorrect
permissions and access violations. But how do you keep cybercriminals out while
still making it easy for authorized users to log in? Authentication management aims
to ensure secure sign in while still providing ease of use.
- A Single Sign On (SSO) solution allows the user to use one set of login
credentials to authenticate across multiple applications. This way, the user only
needs to remember one strong password.
- OAuth is a standard that enables a user’s account information to be used by
third-party services such as Facebook or Google.
- A password vault can protect and store the user’s credentials with a single
strong password required to access them.
- Many organizations implement Knowledge-Based Authentication (KBA) to provide a
password reset should a user forget their password. KBA is based on personal
information known by the user or a series of questions.
It’s important to maintain security when authorizing web users, devices and
applications. Let’s take a look.
4.3.7 Hash-Based Message Authentication Code (HMAC)

Hash-Based Message Authentication Code (HMAC) uses an encryption key with a hash
function to authenticate a web user. Many web services use basic authentication,
which does not encrypt the username and password during transmission. Using HMAC,
the user sends a private key identifier and an HMAC. The server looks up the user’s
private key and creates an HMAC. The user’s HMAC must match the one calculated by
the server.
VPNs using IPsec rely on HMAC functions to authenticate the origin of every packet
and provide data integrity checking.
Select the image below to find out how Cisco products use hashing.
Cisco products use hashing for entity authentication, data integrity and data
authenticity purposes.
- Cisco IOS routers use hashing with secret keys in an HMAC-like manner to add
authentication information to routing protocol updates.
- IPsec gateways and clients use hashing algorithms, such as MD5 and SHA-1 in HMAC
mode, to provide packet integrity and authenticity.
- Cisco software images on Cisco.com have an MD5-based checksum available so that
customers can check the integrity of downloaded images.
The word ‘entity’ can refer to any device or system within an organization.
4.3.8 Authentication Protocols and Technologies

An authentication protocol authenticates data between two entities to prevent
unauthorized access. A protocol outlines the type of information that needs to be
shared in order to authenticate and connect.
Select the headings to find out more about secure protocols.

* Extensible Authentication Protocol (EAP): A password from the client is sent
using a hash to the authentication server. The authentication server has a
certificate (the client does not need a certificate).
* Password Authentication Protocol (PAP): A username and password are sent to a
remote access server in plaintext. Most network operating system remote servers
support PAP.
* Challenge Handshake Authentication Protocol (CHAP): CHAP validates the identity

of remote clients using a one-way hashing function created by the client. The
service also calculates the expected hash value. The server (the authenticator)
compares the two values. If the values match, the transmission continues. CHAP also
periodically verifies the identity of the client during the transmission.
* 802.1x: An organization authenticates your identity and authorizes access to the

network. Your identity is determined based on credentials or a certificate which is
confirmed by a RADIUS server.
* RADIUS: When simple username/password authentication is needed, use RADIUS to

either accept or deny access. RADIUS only encrypts the user’s password from the
RADIUS client to the RADIUS server. The username, accounting and authorized
services are transmitted in cleartext. When RADIUS is integrated into a product,
security measures that protect against replay attacks are necessary.
* TACACS+: TACACS+ uses TCP as its transport protocol. TACACS+ encrypts all of the
data (username, password, accounting and authorized services) between the client
and the server. Since network administrators can define ACLs, filters and user
privileges, TACACS+ is a better choice for corporate networks requiring more
sophisticated authentication steps and control over authorization activities.
* Kerberos: Kerberos uses strong encryption, requesting a client to prove its

identity to a server, with the server in turn authenticating itself to the client.
The Kerberos server contains user IDs and hashed passwords for all users that will
have authorizations to realm services. The Kerberos server also has shared secret
keys with every server to which it will grant access tickets. The basis for
authentication in a Kerberos environment is the ticket. Tickets are used in a two-
step process with the client. The first ticket is a ticket-granting ticket issued
by the authentication service to a requesting client. The client can then present
this ticket to the Kerberos server with a request for a ticket to access a specific
server.
This client-to-server ticket (aka service ticket) is used to gain access to a
server’s service. Since the entire session can be encrypted, this eliminates the
inherently insecure transmission of items (such as passwords) that can be
intercepted on the network. Tickets are timestamped and expire, so any attempt to
reuse a ticket will not be successful.
4.3.9 Configure Site-to-Site VPN:

In this Packet Tracer, you will learn how to:
- Verify connectivity between branch and HQ locations.
- Create and verify site-to-site VPN.
Now, get a real-world, hands on experience by downloading the Packet Tracer file on
your own laptop or desktop computer and following the instructions.
Download the 4.3.9 Packet Tracer - Configure Site-to-Site VPN.pka and the 4.3.9
Packet Tracer - Configure Site-to-Site VPN - Answer Key.pdf for instructions. (Both
downloaded)
4.3.10 Applications of Cryptographic Hash Functions

As we have seen previously, cryptographic hash functions help us to ensure data
integrity and verify authentication. Cryptographic hash functions are used in the
following situations:
- To provide proof of authenticity when used with a symmetric secret authentication
key such as IP security (IPsec) or routing protocol authentication.
- To provide authentication by generating one-time and one-way responses to
challenges in authentication protocols.
- To provide message integrity check proof (such as those used in digitally signed
contracts) and Public Key Infrastructure (PKI) certificates (like those accepted
when accessing a secure website).
When choosing a hashing algorithm, use SHA-256 or higher, as they are currently the
most secure. Avoid SHA-1 and MD5 due to security flaws that have been discovered.
While hashing can detect accidental changes, it cannot guard against deliberate
changes and is therefore vulnerable to man-in-the-middle attacks.
4.3.11 Access Control Strategies

Access control strategies enable an organization to grant or restrict access to a
network device or data.
Select the headings to find out more about some common strategies.
* Mandatory access control: Mandatory access control restricts the actions that a
user can perform on an object (such as a file, a port or a device). An
authorization rule enforces whether a user can access the object. Organizations use
mandatory access control where different levels of security classifications exist.
Every object has a label, and every user has a clearance. A mandatory access
control system restricts a user based on the security classification of the object
and the label attached to the user.
* Discretionary access control: In systems that employ discretionary access

controls, the owner of an object can decide which users can access that object and
what specific access they may have. Permissions and access control lists can be
used to implement discretionary access control. The owner of a file can specify
what permissions (such as read, write, or execute) other users may have. An access
control list uses rules to determine what traffic can enter or exit a network.
* Role-based access control: Role-based access control depends on the role or job
function of the user. Specific roles require permissions to perform certain
operations and users acquire permissions through their role. Role-based access
control can work in combination with discretionary access controls or mandatory
access controls by enforcing the policies of either one. Role-based access control
helps to implement security administration in large organizations with hundreds of
users and thousands of possible permissions. Organizations widely accept the use of
role-based access control to manage computer permissions within a system, or
application, as a best practice.
* Rule-based access control: Rule-based access control uses access control lists to
help determine whether to grant access. A series of rules is contained in the
access control list and the decision to grant access depends on these rules. For
example, a rule stating that no employee may have access to the payroll file after
hours or on weekends. As with mandatory access control, users cannot change the
access rules. Importantly, organizations can combine rule-based access control with
other strategies for implementing access restrictions. For example, mandatory
access control methods can utilize a rule-based approach for implementation.
4.3.12 Gaining Access

Access control plays an important role in the security of @Apollo.
Can you identify which access control strategy is being used in each of the
examples below? Match each scenario to the correct access control strategy.
- No employee can access the @Apollo payroll file after hours or on weekends (Rule-
based access control)
- The @Apollo Company Finance Report is classified as highly sensitive and can only
be accessed by senior managers who have highly-sensitive data clearance (Mandatory
access control)
- The Finance Manager sets permissions so the team lead can access their report to
add data (Discretionary access control)
- Only HR Managers can access files relating to @Apollo employee contracts (Role-
based access control)
(That’s right.
- A rule that no employee can access the @Apollo payroll file after hours or on
weekends is an example of rule-based access control.
- Specifying that only HR Managers can access files relating to employee contracts
is an example of role-based access control.
- The Finance Manager setting permissions so the team lead can access their report
to add data is an example of discretionary access control.
- The @Apollo Company Finance Report is classified as highly sensitive and can only
be accessed by senior managers who have highly-sensitive data clearance. This is an
example of mandatory access control.)
Next Up...
Encryption is used by many organizations to secure and protect sensitive
information stored on their internal or cloud-based systems. It is also used to
protect information that is sent via digital communications. We'll look at this in
more detail next.
4.4 Cryptography in the Enterprise
Cryptography is an important tool in securing your systems against cybercrime.

Digital signatures and digital certificates can ensure the confidentiality of data
and prevent unauthorized access or modification. Let’s take a closer look, starting
with digital certificates, which provide the same functionality as handwritten
signatures in proving the authorship of a document.
4.4.1 What Is a Digital Signature?

Unprotected digital documents are very easy for anyone to change. A digital
signature is a mathematical method used to check the authenticity and integrity of
a message, digital document or software. A digital signature can flag whether
someone has edited a document after the user signed it.
In many countries, digital signatures have the same legal standing as a manually
signed document. Electronic signatures are binding for contracts, negotiations or
any other document requiring a handwritten signature. In these cases, an audit
trail tracks the electronic document’s history for regulatory and legal defense
purposes.
A digital signature helps to establish authenticity, integrity and nonrepudiation.
Digital signatures have specific properties that enable entity authentication and
data integrity, making them an alternative to HMAC.
4.4.2 Creating a Digital Signature

Digital signatures use asymmetric cryptography. A public key algorithm like RSA
generates two mathematically related keys: one private and one public.
But how is a digital signature created? Let’s look at an example to find out.
Alice wants to send Bob an email that contains important information about the
rollout of a new @Apollo product. Alice wants to make sure that Bob knows that the
message came from her, and that the message did not change after she sent it.
Select the arrows to learn how a digital signature works in this case.
- Create a message and encrypt it with a private key: Alice creates the message
along with a digest of the message. She then encrypts this digest with her private
key.
- Send the encrypted message with a public key: Alice bundles the message, the
encrypted message digest and her public key together to create the signed document.
Alice sends this to Bob.
- Read the encrypted message using the public key: Bob receives the message and
reads it. To make sure that the message came from Alice, he creates a message
digest. He takes the encrypted message digest received from Alice and decrypts it
using Alice’s public key. Bob compares the message digest received from Alice with
the one he generated. If they match, Bob knows that he can trust that no one
tampered with the message.
4.4.3 Use Classic and Modern Encryption Algorithms

This is a media player component. Select the play / pause button to watch or
listen.
In this Lab, you will learn how to:
- Use a classic encryption algorithm.
- Use a modern symmetrical encryption algorithm.
- Use a modern asymmetrical encryption algorithm.
practicing this activity on your own laptop or desktop computer.
Download the 4.4.3 Lab - Use Classic and Modern Encryption Algorithms - Answer
Key.pdf for instructions. (Donwnloaded)

Cybersecurity Essentials

Uploaded by

Copyright:

Available Formats

Cybersecurity Essentials

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybersecurity Essentials

Uploaded by

Copyright:

Available Formats

CYBERSECURITY ESSENTIALS

1. Cybersecurity Threats, Vulnerabilities and Attacks

1.1 Common Threats

1.1.1 Threat Domains

Select the image to reveal some examples.

Cybersecurity professionals can also use these domains to perform an analysis of an

1.1.2 Types of Cyber Threats

1.1.3 Internal vs External Threats

1.1.4 Know the Difference

(activity in 6 steps 6/6)

1.1.5 User Threats and Vulnerabilities

1.1.7 Threats to the Local Area Network

1.1.8 Threats to the Private Cloud

1.1.9 Threats to the Public Cloud

1.1.10 What Do You Think?

1.1.11 Threats to Applications

1.1.12 Domain Checker

Otherwise: That’s not right. Let’s recap.

1.1.13 Threat Complexity

An advanced persistent threat (APT) is a continuous attack that uses elaborate

As the name suggests, algorithm attacks take advantage of algorithms in a piece of

1.1.14 Backdoors and Rootkits

Rootkits: This malware is designed to modify the operating system to create a

1.1.15 Threat Intelligence and Research Sources

1.1.16 Install a Virtual Machine on a Personal Computer

1.1.17 Explore Social Engineering Techniques

Next Up... Once a cybercriminal understands the vulnerabilities of a device, system

1.2.1 Social Engineering

1.2.2 Social Engineering Tactics

Select the headings to find out what these are.

Remember that cybercriminals’ repertory is vast and ever-evolving. Sometimes, they

1.2.3 Watch Out!

Select the correct answer, then Submit.

Otherwise: That’s not right. Let’s recap.

1.2.4 Shoulder Surfing and Dumpster Diving

1.2.5 Impersonation and Hoaxes

Select the images to find out more.

1.2.6 Piggybacking and Tailgating

1.2.7 Other Methods of Deception

1.2.8 Spot the Attack

Select an option from each of the dropdowns, then Submit.

1.2.9 Defending Against Deception

1.2.10 Use a Port Scanner to Detect Open Ports

1.3 Cyber Attacks

1.3.1 What's the Difference?

Worms: A worm is a malicious software program that replicates by independently

1.3.2 Logic Bombs:

1.3.4 Denial of Service Attacks:

Maliciously formatted packets: A packet is a collection of data that flows between

1.3.5 Domain Name System:

Domain hijacking: When an attacker wrongfully gains control of a target’s DNS

Uniform Source Location (URL): A uniform resource locator (URL) is a unique

1.3.6 Build a Home Network:

1.3.7 Layer 2 Attacks:

(Spoofing: Spoofing, or poisoning, is a type of impersonation attack that takes

1.3.8 Spot the Attack:

Select the correct answer, then Submit.

1.3.9 Man-in-the-Middle and Man-in-the-Mobile Attacks:

Man-in-the-Mobile (MitMo): A variation of man-in-the-middle, MitMo is a type of