Cybersecurity Foundations

moving risk to another entity or organization

risk tolerance, cost/benefit analysis shows that countermeasure costs too much

Deterrence: Abschreckung

security cameras, security guards, instructional signage

selecting alternate options or activities that have less associated risk than the default e.g.: removing the FTP protocol from a server to avoid FTP attacks.

to reject risk or ignore risk. 

• once a countermeasure is implemented the risk that remains is called a residual risk. 

• the way government agencies obtain wiretapping authorizations
• allow authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under the single warrant.
• ISPs may have to provide the government with a large range of information.

nicht so wichtig

• The new law applies to all organizations that collect data from EU residents or process that information on behalf of someone who collects it.
• The law even applies to organizations that are not based in the EU, if they collect information about EU residents.
• The ability of the EU to enforce this law globally remains an open question
• A data breach notification requirement that mandates that companies inform authorities of serious data breaches within 24 hours
• The creation of centralized data protection authorities in each EU member state
• Provisions that individuals will have access to their own data
• Data portability provisions that will facilitate the transfer of personal information between service providers at the individual’s request
• The “right to be forgotten” that allows people to require companies to delete their information if it is no longer needed

nicht so wichtig

STRIDE is a model of threats

Spoofing: attack with the goal to gain access and target the system with a falsified identity

Tampering: unauthorized change or manipulation of data whether in transit or storage, to falsify communication or alter  static information

Repudiation: The ability of an attacker to deny having performed an action or activity

Information disclosure: the revelation or distribution of private, confidential, or controlled information to external or unauthorized entities.

Denial of Service (DoS): prevents use of a resource, could reduce throughput or introduce latency in order to hamper productive use of a service

Elevation of privilege:  transform a limited use account into an account with greater privileges, powers and access.

Any potential danger to an asset done intentional or accidental

Threat actor: intentionally exploits vulnerabilities, Script kiddies, Organized crime groups, state sponsor and governments, Hacktivists, Terrorist groups,

Threat intelligence: knowledge about an existing or emerging threat  to assets including networks and systems.

Threat event: accidental and intentional exploits of vulnerabilities.

Erasing: only link to the data is removed, actual data remains on the drive

Clearing: Clearing or Overwriting is a process to preparing media for reuse and make sure that deleted data can not be recovered using traditional tools,

Purging: more intense from of clearing used in less secure environments

Degaussing: erasing data with a strong magnetic field from, does not affect CDs, DVDs and SSDs

Destruction: Destroy it in a way that it cannot be repaired.

a triad of 

             Confidentiality

Integrity                  Availability

Protecting the reliability and correctness of data

• Prevents unauthorized alterations of data
• Only authorized subjects can modify the data
• Alternations should not occur while the object is in storage, transit, or process

Data integrity implies information is known to be good, and the information can be trusted as being complete, consistent and accurate

System integrity implies that a system will work as it is intended to.

Examples: intrusion detection systems, hash verification

Authorized subjects are granted unlimited and uninterrupted access to objects.

Examples: Redundancy, maintain reliable backups, prevent data loss or destruction

Prevent or minimize unauthorized access to data. Allow authorized users access to the data and prevent it for everyone else.

Examples: encryption, access control

Nonrepudiation: records all actions, so that who caused the event cannot deny it was done by him/her

Accountability: Being responsible or obligated for actions and results

Examples: Nonrepudiation can be established using digital certificates, session identifiers, transaction logs.

• Protection against unauthorized dupliction
• Eight broad categories of works qualify for copyright protection. (Literary, musical, dramatic choreographic, graphical/sculptural works, audiovisual works, sound recordings, architectural works)
• Copyright only protects the acutal code but not the idea behind the code, means rewriting is allowed
• The copyright exists once something is created, it must not be registered, if you can prove in court that you were the creator of a work you will be protected under copyright law.
• You can mark your work with the copyright symbol (©) to protect it.
• Works by one or more authors are protected until 70 years after the death of the last surviving author.
• A work is considered “for hire” when it is made for an employer during the normal course of an employee’s workday.

• Words, slogans and logos identifing a company
• No need to register them
• ™ Symbol is used to mark protected words or slogans
• For official recognition it can be register at the «Eidgenössisches Institut für Geistiges Eigentum»

• Patent or copyright could be used for such information, but both of the m provide the protection just for a limited time period
• Trade Secrets are often used by big software companies to protect their core base of intellectual property.

• Protect the intellectual property rights of inventors
• 20 years exclusive usage of the invention
• After 20 years the invention is public available for everyone to use
• Must be new, must be useful, must not be obvious
• Does not provide adequate protection for computer software products

• Information: All data of an organization
• Systems: The system includes any services provided for / from the organization (IT)
• Devices: server, desktop computers, portable laptops, tablets, smartphones, external devices e.g. printers
• Facilities: all physical location that an organization owns or rents
• Personnel: Working for an organization 
• Intellectual Property: Assets which are intangible (immateriel)
  • Brand names
  • Creative output
  • Secret recipes or product techniques

• An overall security compromise (security breach, security leck)
• Loss of productivity
• Reduction of profits
• Additional expenditures (Auslagen / Ausgaben)
• Discontinuation (Stilllegung / Unterbrechung) of the organization
• And more …

Military : 

• Top secret
• Secret
• Confidential
• Sensitive but unclassified
• unclassified

The unauthorized disclosure of top-secret data will have drastic effects and cause grave damage to national security. The unauthorized disclosure of data classified as secret will have significant effects and cause critical damage to national security. The unauthorized disclosure of data classified as confidential will have noticeable effects and cause serious damage to national security. Sensitive but unclassified is used for data that is for internal use. 

Business: 

• Confidental / Private
• Sensitive
• Public

Secure Shell replaces unsecure remote configuration operations as e.g.: telnet, ftp, rlogin, rsh, rcp and rexec. Old commands and protocols transmit the content in plain text rather than encrypted format.

Advantages: encrypts data, offers different authentication methods e.g. password authentication, Pubkey Authentication

process running with open network socket, that doesn’t show up on a similar system, network saturation (Ausnutzung) from a single host but nothing in the file system, programm eating up 100% CPU power but nothing in the file system

Bind Shell: Attacker connects to a victim on a listening port

Reverse Shell: Victim connects to attacker on listening port

Can be done with netcat, which then allows to transfer files

Scapy is a phyton utility to send, sniff, dissect (aufgliedern) and forge (fälschen) ip packets. It’s used to:

• to create tools that can probe, scan or attack networks
• ist very powerfool for interactive packet manipulation
• used to create attack signatures for IDS/IPS systems

A cryptographic algorithm is used to encrypt a plaintext message

Message, Plaintext --> [Encryption] -- Ciphertext --> [Decryption] --> Message, Plaintext

                                            ^----------------key-------------------^

A cryptographic system must be secure even if everything about the system, except the key, is public knowledge.

• Algorithms are known public, anyone can text them
• «The enemy knows the system»
• Public exposure may help to find weaknesses more quickly
• Most believe in this principle, but some also think it’s saver to keep the key and the algorithm secret

Uses repeated substitution (Replacing bytes with others) and permutation (Swapping bytes around) operations. Repeated for multiple rounds.

wikipedia: https://en.wikipedia.org/wiki/Substitution%E2%80%93permutation_network

To encrypt a message each letter of the alphabet is shift three letters to the right. It is a substitution cipher that is mono-alphabetic.

Example 

Here’s an example of the Caesar cipher in action.

Khuh’v dq hadpsoh ri wkh Fdhvdu flskhu lq dfwlrq.

A function which takes 2 inputs returns true if one of the inputs is true and the other is false.

e.g.: 

A B O

0  0  0

0  1  1

1  0  1

1  1  0

doing the process again with A and O gives back B again. This is very usefull, because this process can be thought of as A encrypting and decrypting B.

The one time pad uses XOR to encrypt and decrypt a message. 

+ once the key is gone there is no way using statistics to retreive the original message

- the size of the key is the same as the file e.g. 1 GB file = 1GB key

- if a key is used more than once, the cipher is broken, because it can be reversed then

The idea is to create a one time pad by generating an infinite pseudo random-keystream

• Encryption of long continuous streams possible
• Extremely fast with low memory footprint à ideal for low-power devices
• If designed well it can seek (suchen, ermitteln) to any location in the stream

• The keystream must appear statistically random
• A key + nonce must never be reused
• Stream ciphers do not protect the ciphertext (no guaranteed integrity)