Security Basics

Background Information

How the Domain Name System(DNS) Works

The Domain Name System (DNS) is an important part of the internet, providing a way to map names (a website you’re seeking) to numbers (the address for the website).

Reference: https://www.verisign.com/en_US/website-presence/online/how-dns-works/index.xhtml

TCP Connection Establishment Process: The "Three-Way Handshake"

The normal process of establishing a connection between a TCP client and server involves three steps: the client sends a SYN message; the server sends a message that combines an ACK for the client’s SYN and contains the server’s SYN; and then the client sends an ACK for the server’s SYN. This is called the TCP three-way handshake.

Reference: http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-3.htm

DHCP Overview

The Dynamic Host Configuration Protocol (DHCP) is based on the Bootstrap Protocol (BOOTP), which provides the framework for passing configuration information to hosts on a TCP/IP network. DHCP adds the capability to automatically allocate reusable network addresses and configuration options to Internet hosts.

The main advantage of DHCP compared to BOOTP is that DHCP does not require that the DHCP server be configured with all MAC addresses of all clients. DHCP defines a process by which the DHCP server knows the IP subnet in which the DHCP client resides, and it can assign an IP address from a pool of valid IP addresses in that subnet. Most of the other information that DHCP might supply, such as the default router IP address, is the same for all hosts in the subnet so DHCP servers can usually configure information per subnet rather than per host. This functionality reduces network administration tasks compared to BOOTP.

BOOTP relay agents eliminate the need for deploying a DHCP server on each physical network segment.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-sy/dhcp-15-sy-book/dhcp-overview.pdf

Cryptography - A General Overview

Reference: http://adeptus-mechanicus.com/codex/gencrypt/gencrypt.html

Address Resolution Protocol Tutorial, How ARP work, ARP Message Format

Address Resolution Protocol (ARP) is used to resolve layer 2 MAC Address of the receiver (destination MAC address).

Reference: https://www.omnisecu.com/tcpip/address-resolution-protocol-arp.php

IP Addressing and Subnetting for New Users

Subnetting allows you to create multiple logical networks that exist within a single Class A, B, or C network. If you do not subnet, you are only able to use one network from your Class A, B, or C network, which is unrealistic.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html

Network Address Translation (NAT)

The idea of NAT is to allow multiple devices to access the Internet through a single public address. To achieve this, the translation of a private IP address to a public IP address is required. Network Address Translation (NAT) is a process in which one or more local IP address is translated into one or more Global IP address and vice versa in order to provide Internet access to the local hosts.

Reference: https://www.geeksforgeeks.org/network-address-translation-nat/#

CIA

  • Confidentiality: keeping information secret from unauthorized users

  • Integrity: insuring that the information is genuine and hasn't been tampered with

  • Availability: encuring that the system is always available

But then there's also two more that is not always discussed. There is two more - Authenticity and Non-Repudiation. [CIA-AN]

Authenticity

Determining the origin of data - Type of Integrity

Authenticity is knowing who sent the message. For example, I sent you an e-mail. But how do you know the e-mail really came from me? Does e-mail have a security? Generally no. E-mail by default does not have any authenticity. Not by default.

We're not going to talk about this, but there's PGP Encryption, DKIM, SPF, and DMARC. Gmail has some features as well to make sure that this e-mail really came from somebody but generally there isn't. So e-mail doesn't have authenticity, meaning you don't know who really sent the message most of the time.

Non-Repudiation

Providing the integrity and origin - Type of Integrity

Non-Repudiation is the property to ensure that someone actually sent the message. For example, I sent you a message and said come to my office for pizza right after class today at 6:00. But I say “No, I didn't send this e-mail. I'm not giving free pizza", so I'm repudiating that I sent this e-mail. There's absolutely no way you can prove it because e-mail has no identity. You can't prove it.

Non-repudiation also works in time as well. I sent you a same message, but this time I'm repudiating that I sent this e-mail today. I sent this e-mail last year. So even if I have some technologies like PGP, which is an e-mail signing technology, I say to you that I sent this e-mail last year. I'm repudiating not that I didn't send this e-mail since I put my PGP signature on it. But, I'm repudiating when I sent this e-mail. The way that PGP works is that it only proves it was sent by me. You can't prove when it was sent. This is a big problem for many digital documents.

So repudiation has two different forms. This repudiation form whether this message was sent or not. But then there's also repudiation for when this message was sent.

General Concept of Risk Analysis and Management

Risk

A risk is an asset that can lose value if a negative event occurs. For example, you have a server firm and it can go offline due to a flood. That is a risk because you have something that can lose value.

But it's hard to talk about risk because it requires an understanding of the organization's assets, potential threats to those assets, existing vulnerabilities, and the potential impact if those vulnerabilities are exploited.

Threat

Threat is any potential occurrence that can have an adverse effect on the assets and resources associated with the system. Threat is something that exists in the environment.

For example, you have a data center in Japan. You will have earthquakes. Threat of an earthquake is a threat. There's nothing you can do about it directly. A threat is something that is part of the environment. Or you are a bank, therefore you will have attackers that try to breach your systems to steal funds. If you are a bank, you will be targeted.

Another threat? There are attackers who are targeting hospital systems and putting ransomware on them. That's a threat, something that exists. It's part of the environment. If you're in a hospital, you have this threat. Hospitals generally can't do anything about it. Hospitals cannot stop the threat of attackers trying to put ransomware in hospital systems. There's not much they can do about it. But a risk is something of yours or your organization that can lose value.

So that's how you tell the difference between the risk and the threat. A threat is an environmental thing. A risk is something of yours that can lose value.

Vulnerability

A vulnerability is a characteristic that allows a threat to occur. So a vulnerability is usually a flaw in the system which opening the system that allows something bad to occur. For example, you have a web portal having users is a vulnerability. You have users, they are a vulnerability. They allow something bad to occur.

But, vulnerability is what we can do something about. We can have processes to identify vulnerabilities and try to stop it or try to mitigate them.

Attack (Exploit)

Attack is something that takes advantage of your vulnerability. Attack is they take advantage of an unpatched system in order to get breach the system.

Going back to the example of Risk

You have a server firm and it can go offline due to a flood.

  1. Asset: The "server firm" is the asset. This is the critical infrastructure that your organization relies on. It has significant value, not just in terms of its physical cost but also in terms of the data it holds, the services it provides, and the potential revenue or operational capability it supports.

  2. Threat: The "flood" represents the threat. It's an external event or factor that can cause harm.

  3. Vulnerability: The vulnerability is the potential for the server firm to be affected by the flood. Maybe the server farm is situated in a flood-prone area, or maybe there aren't adequate protective measures in place to prevent flood damage.

  4. Attack/Exploit: An attacker exploits the reduced security measures during the flood event to gain unauthorized access, perhaps because firewalls are offline or monitoring systems are impaired.

  5. Risk: The combination of the above elements (asset, threat, vulnerability, and impact) culminates in the risk. In this context, the risk is that a flood could cause the valuable server farm to go offline, leading to various negative repercussions for the organization.

Impact: The server firm going "offline" represents the potential impact of the threat exploiting the vulnerability. The impact can be further quantified in terms of downtime, financial loss, data loss, reputational damage, etc.

Risk analysis is the process of:

  • Identifying the assets at risk

  • Putting quantiative or qualitative measures on the likelihood of the event happening

  • Putting quantitative or qualitative measures on the consequences of the potential loss (also called impact)

Risk Management

Risk Management is a process for planning on how to control those risks. When you perform risk management, there are four things that you can do:

Risk avoidance - Not doing it all. Risk mitigation, which is taking countermeasures to make it safer. Mitigation is generally what we do in cybersecurity. Risk transfer - making it someone else's responsibility. Risk acceptance - You gotta do it anyway, so just acknowledge that you're going to do it anyway. Just acknowledge it's raining, but I have to get cat food. I have to go. I know it's risky, but I have to go anyway.

Risk analysis starts with understanding what assets are potentially at risk, what the threats are. This forms the basis for finding the “sweet spot” of putting in enough security to protect the value of the assets.

Asset Owner vs. IT Asset at Risk Owner

This has become a very big deal lately. For example, Social Security numbers. My security number is stored at Citibank or Chase. When Chase is running a system with my personal information, the entity that owns the IT system may not have the same safeguards as I would like on their system.

For example, there's an application that contains security clearance information run on an ISP, Internet Service Provider that was not as secure as it could be. Security clearance information was compromised by having the back end of the physical systems compromised and the attackers are able to gain entry to these systems that carry this personal information. That physical IT asset of it was not as secure as the application. Even though the application that contained this sensitive information was secure, the IT asset that contained this application was not secure and was compromised from the back end.

So there's a big distinction between the asset owner and the IT asset at risk owner. This is becoming more and more relevant as we are moving to the cloud where they don't control the physical asset anymore as we used to.

Last updated