CHAPTER 1Risks to IT security1.1 LO1 Assess risks to IT security.1.1.1 Identify types of security threat to organisations P1Definition of IT Security:Computer security, cybersecurity, or
Risks to IT security
LO1 Assess risks to IT security
1.1.1 Identify types of security threat to organisations (P1)
Computer security, cybersecurity, or information technology security is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdi- rection of the services they provide.
The importance of IT security:
Currently, it is critical to protect an individual's or organization's database system in order to prevent hackers from entering the system and stealing the database If the security system is inadequate or exposed, that individual's or organization's data will be taken extremely rapidly.
Security threats to the organization.
There are 3 threats to network security for an organization:
Cybercrime (Cybercrime): is a group of objects, or individuals, who commit financial crimes or want to shut down the system of any individual or organization.
Cyberattack: Cyberattacks are often aimed at politics.
Cyberterrorism (Cyberterrorism): the main objective is to damage the electronic sys- tem, cause the whole system to paralyze, causing panic and fear by users or organizations.
Methods that threaten an organization's security:
Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer net- work, leak private information, gain unauthorized access to information or sys- tems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy By contrast, software that causes harm due to some deficiency is typically described as a software bug Malware poses serious problems to individuals and businesses. According to Syman- tec’s 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware vari- ants as in 2016.Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy 6 trillion dollars in 2021, and is increasing at a rate of 15% per year.
Many types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware The defense strategies against malware differs according to the type of mal- ware but most can be thwarted by installing antivirus software, firewalls, ap- plying regular patches to reduce zero-day attacks, securing networks from in- trusion, having regular backups and isolating infected systems Malware is now being designed to evade antivirus software detection algorithms.
Virus: We tend to think of all malware as viruses, but that's incorrect A virus modifies host files and when you execute a file on the victim's system, you execute the virus as well Nowadays, with different types of malware infecting the networked world,computer viruses have become less common; they account for less than 10% of all malware.
Remember, viruses infect other files, they are the only malware that infects other files, and as such, it is difficult to clean them up Even the best anti-virus programs live with this; most of the time they will delete or quarantine the infected file and cannot get rid of the virus.
Worm: A worm is malicious software that has the ability to self-replicate and spread without the action of the end user, causing real havoc Viruses need the end user to remove them so they can go on and infect other files and systems Worm does not need any such end user action It simply propagates itself, replicating itself in the process, and destroying connected systems, devices, networks, and infrastructure.
Worms spread by exploiting other files and programs to do the job of spreading. When one person in an organization opens an email containing a Worm, the entire network in the organization can become infected within minutes.
Trojan: Trojans, reminding you of what happened during the Trojan war, masquer- ade as legitimate programs However, they contain malicious instructions Trojans mainly come via email or spread from infected websites that users visit They only work when the victim does it.
Ransomware: Ransomware, as the name suggests, demands ransom from you to get everything back the way it was The main problem with ransomware, which has spread so quickly across organizations, networks, and countries, is that they encrypt all the files in a system or network, making them inaccessible A ransom note pops up, asking for payment in crypto, to decrypt the files If the ransom is not paid, the encrypted files may end up being destroyed and as a result, ransomware will be considered as one of the most destructive forms of malware.
Most ransomware are Trojans and spread through social engineering. Unfortunately, in some cases, hackers refuse to decrypt files even after you pay the ransom.
Adware: Adware is nothing but trying to expose users to unwanted malicious ads. These ads will most likely infect a user device.
There are adware programs that redirect users, during a browser search, to similar- looking websites that advertise other products Easier adware removal You just need to find the executable malicious code and remove it.
Spyware: Spyware, as the name suggests, helps hackers to spy on systems and users This type of malware can be used for key-logging and similar activities, thereby giving hackers access to personal data (including logins) and intellectual property.Spyware is also used by people who want to check the computer activities of people they personally know Spyware, like adware, is very easy to remove.
Rogue security software: is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since
2008 An early example that achieved infamy was Spy Sheriff and its clones.
Wiper: In computer security, a wiper is a class of malware intended to erase (wipe) the hard drive of the computer it infects, maliciously deleting data and programs.
Scareware: is a form of malware which uses social engineering to cause shock, anx- iety, or the perception of a threat in order to manipulate users into buying unwanted software Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is in- fected with a virus, then suggests that they download and pay for fake antivirus software to remove it Usually the virus is fictional and the software is non- functional or malware itself According to the Anti-Phishing Working Group, the number of scareware packages in circu- lation rose from 2,850 to 9,287 in the second half of 2008 In the first half of 2009, the APWG identified a 585% increase in scareware programs.
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database It generally allows an attacker to view data that they are not normally able to retrieve This might include data belonging to other users, or any other data that the application itself is able to access In many cases, an at- tacker can modify or delete this data, causing persistent changes to the application's content or behavior.
In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.
Describe IT security solutions
Identify the potential impact to IT security of incorrect configuration of
fire- wall policies and IDS (P3)
Web application system firewall (WAF) solution:
The Web application firewall solution allows to prevent attacks on Web applications, contin- uously monitor the Web application system and provide warnings if vulnerabilities appear on the application.
Benefits: allows to prevent attacks on Web applications, continuously monitor the Web application system and provide warnings if vulnerabilities appear on the application. Solution features:
Protection at layer 7 (according to OSI model)
Protect applications and data against unauthorized attacks
Deep analysis of packets moving in inbound/outbound traffic from the Web service server
Solution against transaction tampering (Fraud Detection)
The solution helps to prevent acts of user impersonation, appropriation and use of payment accounts in the electronic payment and e-banking environment.
Benefits: preventing user fraud, appropriating and using payment accounts in the electronic payment and e-banking environment.
Feature: Monitoring user behavior of electronic payment services, e-banking Anti-theft of user identity based on many information: transaction type, transaction amount, working time, geographical location (by IP address),
Prevent abuse on the system: direct access to order pages, use of suspicious envi- ronment variables, etc.
Preventing suspicious behavior on the online transaction system such as: the number of times of using payment cards, making multiple payments from the same IP address, etc.
Database system security monitoring solution:
Control database operations, set up strict protection policies.
Prevent abnormal behavior from self-learning about normal database operations. Detect and prevent database attacks like a dedicated IPS.
Manage privileged and authorized accounts of users on the database.
Report database performance such as loads, queries, most accessed objects, ob- jects with response time problems, etc.
Identify and recommend ways to handle security vulnerabilities, capable of as- sessing the security level according to database security standards.
The solution helps protect sensitive data by means of encryption: encrypting folders, files, hard drives.
Enforce data encryption on terminal devices (laptops, smart phones, desktop com- puters)
Encrypt data on local drives, network servers, at the file and directory level. Network security solution
The firewall solution helps protect the system gateway (gateway), preventing risks from the Internet environment.
Web filtering Anti-Intrusion (IPS) Anti-DDoS Anti-virus, spam.
Filtering of User and Application Monitor service ports
Anti-Intrusion and Denial of Service (DDoS) Solution:
Solution using hardware equipment, software system to help prevent form of attack Solution features:
End-to-end security solutions
Access monitoring solution ensures that the regulations and security policies on the system are complied with.
Anti-attack on the end (Hosted-IPS).
Encrypt important information Monitor applications installed on the terminal. One-time password solution (OTP)
OTP Single Use Password Solution enhances user access protection.
Passwords are randomly generated over time (30 seconds, 60 seconds, …). Integrate OTP into IT infrastructure when accessing servers, network devices, da- tabases, and applications.
Support many different forms of OTP such as sending via email, sending via SMS, using hardware token, software token.
Definity of Firewall and IDS:
A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies.
At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.
An intrusion detection system is a device or software application that monitors a net- work or systems for malicious activity or policy violations Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security infor- mation and event management system.
Show, using an example for each, how implementing a DMZ, static IP
and NAT in a network can improve Network Security (P4)
A DMZ Network is a perimeter network that protects and adds an extra layer of se- curity to an organization’s internal local-area network from untrusted traffic A common DMZ is a subnetwork that sits between the public internet and private networks.
The role of the DMZ in the network zone:
The DMZ is a neutral network area between the local network and the internet. The DMZ is a place to store information that allows users from the internet to access and accept the risk of attacks from the internet.
Commonly deployed services in the DMZ are: Mail, Web, FTP
Ways to set up DMZ network zones:
Method 1: Set the DMZ between 2 firewalls, one to filter information from the internet and one to check information flows into the local network.
Method 2: Use a router with multiple ports to put the DMZ in a separate branch sep- arate from the local network.
Table 1 Advantages and Disadvantages of DMZ
Advantages and Disadvantages of DMZ
DMZ Configuration for ain the authentication of unused
Setting up the DMZ is something that not everyone knows how to do, so doing it services to prevent others from accessing information containing devices connected to the net- work. wrong can lead to the potential loss or cop- ying of all the information the system has It will therefore be essential that only those who are absolutely certain of what they are doing take this action.
The user configures the DMZ to optimize the performance of ap- plications, programs, video or web games, and online services.
For example, enabling DMZ is beneficial for playing with con- sole, in many cases we need this functionality correctly to play online correctly and without prob- lems with NAT Censorship and opening gate.
If DMZ validation is not done in a neat and detailed manner, it can be very dangerous and could lead to the loss of our team's in- formation or the attraction of malicious out- side intrusions We recommend getting pro- fessional computer security support if you are thinking of solving this problem.
Configuring the DMZ provides greater security in terms of com- puter security, but it should be noted that the process is complex and should only be performed by users with the necessary knowledge of network security.
A static IP address is simply an address that doesn't change Once your device is assigned a static IP address, that number typically stays the same until the device is de- commissioned or your network architecture changes Static IP addresses generally are used by servers or other important equipment.
Nat (Network Address Translation) is a technique that allows converting from one IP address to another Normally, NAT is commonly used in networks that use local addresses, which need access to a public network (Internet) The location to implement NAT is the edge router connecting the two networks.
Figure 14 NAT (Network Address Translation)
There are 3 types of NAT: Static Nat
Static NAT is used to convert one IP address to another in a fixed way, usually from a local address to a public address, and this process is set manually, i.e map only and the corresponding explicitly specifying address only.
Static NAT is useful in cases where devices need to have a fixed address to be ac- cessible from outside the Internet These devices are popular as servers such as Web, Mail,
Dynamic NAT is used to automatically map one IP address to another, typically a mapping from a local address to a registered address Any IP address within a predeter- mined public IP address range can be assigned a device within the network.
Nat Overload is a form of Dynamic NAT, which maps multiple IP addresses to one (many - to - one) and uses different port number addresses to distinguish each conversion. NAT Overload is also known as PAT (Port Address Translation).
The port number is 16-bit encoded, so up to 65536 internal addresses can be con- verted to a public address.
NAT is responsible for transmitting packets from one network layer to another in the same system NAT will change the IP address inside the packet Then pass through the router and network devices.
Table 2 Advantages and Disadvantages of NAT
Advantages and Disadvantages of NAT
Saving IPv4 addresses: The number of us- ers accessing the internet is increasing day by day This leads to the risk of IPv4 ad- dress shortage The NAT technique will help reduce the number of IP addresses that need to be used.
When using the NAT technique, the CPU will have to check and spend time to change the IP address This increases the delay during switching Affects internet connec- tion speed.