1,

Which of these are Personally Identifiable Information?

All

2,
Which of these is an anti-virus program
All

3,
What is PUP?
Potentially Unwanted Pgm

4,
Internet can impose a number of Risks and hence Cybersecurity is required.
T

5,
________ monitors user activity on internet and transmit that information in the background to
someone else.
Spy ware

6,
Which of these are cyber threats?
All

7,
Unsolicited commercial email is known as
Spam

8,
In symmetric-key cryptography, the same key is used by
Both

9,
The sole purpose of ________ attack, is to fool the victim and to get all the confidential
information
Phishing

10,
The Cryptography can provide
All

11,
In Symmetric-key cryptography, the key used by the sender and the receiver is
Shared

12,
Risk represents ________
threats
Vul

13,
If there is a vulnerability but no threat, then there won't be a risk.
T

14,
is the guarantee of data privacy and protection against unauthorized disclosure.
Confi

15,
Cryptography, a word with Greek origins, means
Secret writing

16,
Detection and Analysis is a continuous process of a cyber-attack for detecting Malware intrusion
and their remote connections.
T

17,
Which is a part of a response phase activities ?
Pre-ap

18,
Which is not part of a response follow-up activities ?
Take appropriate

19,
Which is a open source data loss prevention solution.
MYDLP

20,
Incidents should be handled on a first come- first serve basis and must be prioritized based on
the Business impact.
F

21,
Which is not part of a Incident Response Preparation phase ?
Defining Obj

22,
Deep packet inspection can be used to give more context to indicator only.
False

23,
How do we define RADIUS?
Remote Authentication Dial-In User Service

24,
Which of these are Threats related to Email Security?
All

25,
Which of these is true with respect to passwords?
atleast 8

26,
Which of these are examples biometrics?
all

27,
Phishing emails include fake notifications from banks and e-payment systems.
T

28,
A ________ is a credit card sized card with an embedded chip, containing information about the
user
SC

29,
As an email client, we should not use caution when opening emails and can download any
attachments.
F

30,
It is a program or hardware device that filters the information coming through an internet
connection to a network or computer system.
FW

31,
Cybersecurity threat is a scenario which will try to exploit possible vulnerabilities to enhance
security
F

32,
Which is not part of a threat Modelling process ?
Comp

33,
Which is not part of a threat Modelling process ?
ARisk

34,
The altering of data so that it is not usable unless the changes are undone is
Encryption

35,
Network layer firewall works as a
PF

36,
At Operational level threat intelligence real time feed protocols are being used.
T

37,
Which one will not be considered in Cybersecurity threat Intrusion Phases ?
Alliance

38,
They Keys used in Cryptography are
SR(wrong)

39,
Which is not a set of activity performed to prevent future incidents in Incident management?
Mitigate

40,
UEBA stands for
User and Entity Behavior Analytics

41,
Which is not a characteristics of Advanced Persistent threats ?
FA
42,
In Asymmetric-Key Cryptography, although RSA can be used to encrypt and decrypt actual
messages, it is very slow if the message is
short

43,
Which helps to prevent the cyber-attacks using various security related tools, policies, best
practices and guidelines ?
TM

44,
At Strategic level threat intelligence information can be exchanged within it's operating
community
F

45,
Which helps to predict the cybersecurity potential risks effectively
PH

46,
Detection and Analysis is a continuous process of a cyber-attack for detecting Malware intrusion
and their remote connections
T

47,
A ________ is an extension of an enterprise’s private intranet across a public Network such as
the Internet across a public Network such as the Internet, creating a secure private connection.
VPN

Cybersecurity - Significance
With growing technological changes, organizations are currently grappling with increasing
security concerns.
Any cybersecurity event could vandalize the hard-earned reputation and loss of large asset
values ($).

A lot of data breaches and cyberattacks have had a great impact, and organizations are working
towards pruning security breaches.

Conventional IT security leaders have scaled up becoming digital security leaders and have
widened their support to
address risks for technology-savvy engineering and physical environments.
It's high time that everyone understands more about Cybersecurity and be cautious at the same
time.

Course Elements
Welcome to this journey on Cybersecurity!

In this course, you will learn about the following topics.

What is Cybersecurity?
Malicious Programs
Core Security Principles
Risks, Threats and Vulnerabilities
Cybersecurity Threats
Cybersecurity Architecture
Cybersecurity Incidents
Operating System Security
Email Protection
Network Security

What is Cybersecurity?
Cybersecurity includes

technologies
processes and controls
Cybersecurity is designed to protect systems, networks and data from cyberattacks, damage or
unauthorized access.

Effective cybersecurity protects organizations and individuals from the unauthorized exploitation
of systems, networks, and technologies.

What is Cybersecurity?
Cybersecurity by itself is an ocean, and it becomes necessary for everyone to know more about
the different aspects to protect both personal/organization information.

If you had been wondering,

Why is Cybersecurity required?

What are Cybersecurity threats and malicious programs?
What are the consequences of cyber attacks?
Preventive measures and techniques?
Let's embark on the course to start exploring cybersecurity, which would give you an overall
view and understanding of the above questions.
Quick Fact
Gartner predicts Worldwide Security spending to shoot up to $96 Billion in 2018, an increase of
8% from 2017.

Why is Cybersecurity Required?

Cyberattacks are happening all the time with latest digital trends emerging and becoming more
prevalent.

What is a cyberattack?

An attempt made by hackers to intrude or destroy a computer network or system.

Cybersecurity:

protects the data and integrity of computing assets within an organization’s network.
defend those assets against all threat factors throughout the entire life-cycle of a cyberattack.
Keeping pace with cybersecurity strategies and operations can be a challenge, as cyberspace
expands with technologies like cloud and mobile computing.

Quick Fact
Believed to be one of the most important historic violation, Office of Personnel Management in
US was hacked on April 2015, resulting in the theft of approximately 21.5 million personnel
records.

The data breach compromised on Personally Identifiable Information (PII) like Social Security
Numbers, name, and address.

Focus of Cybersecurity
The focus of cybersecurity is on

preventing
mitigating
detecting
investigating and
responding to cyber attacks.
The complexity of cyberspace implies that there are potentially endless lists of attack scenarios
and malicious programs.

You will learn about the different malicious programs in the next section!

What are Malicious Programs?

Malicious programs or Malware are specifically designed to delete, block, modify, or disrupt the
performance of computers and computer networks.

Malwares include

Viruses
Worms
Trojans
Spyware
Adware
Ransomware
Scareware
Viruses and Worms are two of the most familiar malicious programs.

Worm and Virus

Virus
Virus is a type of malicious software that can self-replicate and spread to other systems or
hosts, eventually corrupting the systems.
requires an active operating system /active host program or an already-infected system to run
and cause damage.
Virus spreads easily to other hosts through some means, one of the frequent means being
email attachment.
Worm
Unlike virus, worm is a standalone software that does not need human help/host program to
spread.
Worms can advance and self-replicate within a system using up resources such as processing
and memory.
Enters the system through a vulnerability and attacks information-transport
features/file-transport of the system.
2 of 15

Spyware and Adware

Spyware
Spyware is designed to extract data from its host computer, for marketing purposes and then
transmits that data to a remote system without the user's knowledge.

Adware
Adware is similar to spyware, but it has been designed for advertising. Such as in a pop-up
screen.
Quick Fact
Adware and Spyware are commonly known as Potentially Unwanted Program - PUP.

A potentially unwanted program (PUP) is a software that can be considered as nonessential,

whose implementation can compromise privacy or weaken the computer's security.

Ransomware and Scareware

Ransomware
Ransomware contains a computer system captive while charging a ransom.
Ransomware restricts access to the computer either by encrypting files on the hard drive or by
displaying messages that are meant to force the user to pay the malware creator, to eliminate
the restrictions and retrieve access to their system.
Scareware
Scareware tricks users by making them believe that their computer has been infected with a
virus and then suggests to download and pay for fake antivirus software.
Usually, the virus is fictional, and the software is non-functional or malware itself.
Did you know - The number of scareware packages in circulation rose from 2,850 to 9,287 in
the second half of 2008 alone to bring more awareness to users.

Source: Anti-Phishing Working Group

5 of 15

Trojan
Trojan is named after the wooden horse that the Greeks used to infiltrate Troy.

Upon activation, a Trojan attacks a host by

irritating the user by

popping up windows
changing desktops
damaging the host by
deleting files
stealing data or
activating and spreading other malware, such as viruses.
replicates through user interaction like
opening an e-mail attachment
downloading and running a file from the Internet.
Trojan is commonly known for providing backdoor access to the system for malicious users.

Viruses, Worms and Trojans - Differences

Try to know a bit more about malware and the difference between viruses, worms, Trojans,
ransomware and spyware in this video.
If you have trouble playing this video. Please download the root certificate and proxy certificate
and install.
No transcript is available for this video.
7 of 15

Quick Fact
Notable Worms and Viruses

Zeus(trojan) - targeted Microsoft Windows to collect banking data by keystroke logging.

Nimda(worm) - caused about 530,000,000 damages within one week. It was propagated by
locating email addresses and then appending JavaScript.

CryptoLocker(trojan) - encrypts files in user's hard drive, and demands a ransom to the user in
order to receive the decryption key.

Botnets
Botnet is derived from the words Robot and Network.

The objective of creating a botnet is to infect as many connected devices as possible.

Bot is a device infected by malware, which becomes part of a network of infected devices
administered by a single attacker or attack group.

Looks for vulnerable devices throughout the internet, instead of targeting particular individuals,
industries or companies.

Malnets
Malnets differ from botnets

While Botnets are largely used to distribute spam and malware to other users, Malnet is used to
draw users in and infect them.
Botnets are often controlled by a single or small number of command servers, whereas Malnets
use fast-changing infrastructures.
The malnet infrastructures allow cybercriminals to open dynamic attacks that can remain
unnoticed for days or months, by conventional anti-virus vendors.

Malvertising
New concept for spreading malware is even harder to combat because it can work its way into a
webpage and spread through a system unknowingly.
Malvertising is injecting malicious or malware-laden advertisements into genuine online
advertising networks and webpages.

It is easy for attackers to spread across a large number of websites without directly
compromising them.

The interesting stuff about the spread of infections through malvertising is that it does not
require any user actions such as clicking or downloading.

Quick Fact
In 2017, "WannaCry" ransomware had impacted over 200,000 organizations across 150
countries, by using the flaw in Microsoft's software.

Many companies like Telefonica, FedEx, Renault, and NHS had big impact due to WannaCry"
ransomware.

Infection - Signs and Symptoms

Some signs that could indicate your system is infected:

Reduction in performance due to slow-running processes

System instabilities
Internet homepages changed in your browser
Pop-up ads frequently occur than usual.
Browser redirection
Disabled functions
Unable to connect to the Internet or access higher-level system control functions.

Antivirus software
Antivirus software tracks all files coming into the system from various sources such as USB,
mail, or websites, and checks if they match any of its virus or PUP signatures.
If they match, it typically removes or quarantines them.
Approximately 95% effective in detecting viruses and PUP's, since new viruses and PUP's are
being created frequently.
Antivirus software needs to be updated regularly so that new signatures can be added.

Myths!
There are some common myths related to computer viruses:

Any error message on the system, indicates virus infection - False, can indicate
hardware/software issues.

Viruses and Worms always require user interaction - False, malicious code is run.
Email attachments from known senders are safe - False, they can be used to spread infection.

Antivirus programs will stop all threats - there is no such protection as 100%.

Viruses can inflict physical damage on your computer - such damages are not simply possible.

Fundamental and core principles of providing a secure system is that of ensuring

Confidentiality

Integrity

Availability.

Commonly known as CIA triad, which is widely acknowledged in information assurance models.

In this section, you will understand more about each one of these in detail now!

Confidentiality
Confidentiality is the guarantee of data privacy and protection against unauthorized disclosure.

Personal Identifiable Information (PIIs):

Social Security
Credit card information
Account numbers
Business information such as:
Financial data
Employee records and Trade secrets
All these above are categorized as Confidential informatio

Integrity
Protecting data from unauthorized modification is called Integrity.

Integrity gets compromised when information or data has been modified or destroyed, either
maliciously or accidentally.
Example for violation of Integrity: A student going into the grades and modifying his or her
Maths grade from C to A.
Measures to protect against violations of integrity :

Auditing network for uncommon or suspicious activity.

Software intrusion detection systems like Tripwire, can be used to analyze checksums for any
unauthorized changes.

Availability
Availability is ensuring that data and services are available to authorized users whenever
required.

A denial of service attack is an attack against availability. This attack sends numerous requests
to a system to interrupt services to genuine users.
A distributed denial of service(DDoS) attack is more effective as it uses botnets to launch an
attack.

Protecting Information
Data leakage is not always noticeable.

Protecting information

Encryption is one of the key measures for protecting against loss of confidentiality.

Encryption converts data into a non-decodable format, which can't be retrieved without the use
of a key.

Individuals and businesses should allow only authorized individuals, processes, or devices to
access the data.

Protection Mechanisms
CIA compliant system provides protection mechanisms that offer layered protection to the data.

Use of layered approach and proper checks to improve confidentiality, integrity, and availability.

Model​
Multiple Layers - Different controls guard the system against various threats coming at different
levels.
Abstraction - Used for efficiency.
Data Hiding - Data hiding entails keeping data undiscoverable by unauthorized personnel.
Encryption - A technique used for masking the original data so that it can’t be interpreted right
away.
Details of Encryption will be covered in the next section.

Quick Fact
Check your understanding!

If a person gained unofficial access to the company's payroll information and read payroll
information of all.

What type of violation would it be - Integrity, Confidentiality or Availability?

Cryptography - World of Encryption

The word cryptography was framed by combining two Greek words,

‘Krypto’ meaning hidden and

‘graphene’ meaning writing.
Believed to be adopted by Egyptians (1900 B.C), cryptography ensures secure communication
amidst the presence of malicious third-parties (adversaries).

Encryption leverages an algorithm and a key to reconstruct an input (plaintext) into an encrypted
output. (ciphertext)

In this section, you will understand more about Cryptography.

Two categories of the encryption algorithm include:

Symmetric
Both encryption and decryption use same key.
Used for encrypting large amounts of data (like an entire disk partition or database) as it is very
fast.
Primarily used for privacy and confidentiality.
Asymmetric
Uses two different set of keys for encryption and decryption. (public and private key)
Although the public key may be freely distributed, the private key is kept in a secret manner,
Very slow and used to encrypt data smaller than key size (2048 bits or smaller)
Leveraged to encrypt symmetric encryption keys, which are then used to encrypt much larger
blocks of data.
Primarily used for authentication, non-repudiation, and key exchange.

Plaintext

Any language that is communicated and understood is a plain text or cleartext. It is readable to
human.

Ciphertext

Ciphertext is a text language or a written document in which the plaintext has changed its form,
a form which cannot be read or we cannot communicate and understand it. It is also known as
encrypted test.
How it works?

Plaintext is encrypted before sending over the medium.

The encrypted message (ciphertext), which is received at the other end of the medium and
decrypted to get back the original plaintext message.

Applications
• Integrity check — Uses hash function, to ensure data has not been modified, erased or lost in
an accidental, or unauthorized manner.

• Authentication — Positively identifying and validating an entity in a system, such as signing an

electronic contract. Uses digital signature/Method Authentication Code.

Risks, Threats and Vulnerabilities

For developing security strategies, you need to understand about Assets, Risks, Threats, and
Vulnerabilities.

1. Assets
Assets can be tangible and intangible items that can be assigned a value.
Example for tangible assets are printers or computers.
Intangible assets consist of trade secrets, databases, and company records.

2. Threat
The probable danger that in general are difficult to control. Threats can include unhappy
employee, terrorists, or nature.

3. Vulnerability
Security flaw or a weakness in a system. Assets can be exploited by threats if it is vulnerable. A
system connected to the Internet can represent a vulnerability if it is unpatched.

4. Risks
The risk is something that can happen unexpectedly and is a combination of threats and
vulnerabilities.

Risk represents threat times and vulnerabilities. Hence, to understand the risk to assets, the
possible threats and vulnerabilities must be analyzed.

Risk = Threat * Vulnerability

Risk is a behavior of a threat exploiting a vulnerability.

Risks could cause

Business disruption,
Financial loss, or
Even loss of life.

Scenario - Determining Risk

You have to understand this short story of The Three Little Pigs and wolf, to do Risk Analysis of
the scenarios.

There were three little pigs.

The first little pig built a house of straw, but the wolf blows it down and eats the pig.
The second little pig built a house of sticks, but the wolf also blows it down and eats the pig.
The third little pig built a house of bricks, which the wolf cannot blow it down.
So now, how would you be performing the Risk analysis?

Threat
As you observe in all three scenarios, The threat is 100% as the wolf tries to blow the house
down.

Vulnerability
But as for vulnerability, is where the change takes place.

Straw house - 90% vulnerable that it's going to be blown down.

Stick house - 40% vulnerable as wolf has less chance compared to straw house.
Brick house - 0% vulnerable that wolf can't break it down.
Inference
The vulnerability can be fixed, so you should check and address vulnerabilities regularly.

Quick Fact
There exists scenarios where threats may exist, but if there is no vulnerability, there will be no
risk.

Similarly, if there is a vulnerability but no threat, then again there won't be a risk.

Up Next!
Now that you know, vulnerability can be fixed and addressed regularly, this would help to
reduce Risks.

Let's get introduced to Attack Surfaces now in the next topic. Reducing these would lead to
minimize risk.
What is an Attack?
Attack can compromise the security of data.
There are two main types of attacks - passive and active.

Passive attack

Tracking transmissions with the intention of capturing information without the knowledge of the
user.
This is non-invasive.
Example: capturing passwords or data files.
Active attack

Here, intruder tries to break into secured systems for stealing or modifying information or to
generate malicious code.
Example: Injecting systems with Malicious programs such as Worms, Viruses or Trojans.

Attack Types
Phishing - one of the most dangerous cyber threats of all time. The sole purpose of phishing is
to distract/fool the victim and to get all the confidential information such as address, bank
account, password, card number, etc. Phishing spreads through email or even phone calls.

Password Attack- Hackers don’t need any emails, code or forged links to make this attack. They
can do it by cracking your password. Hackers may use any password cracking tool to trigger this
attack.

Drive-by Download - This could get triggered just by visiting a website. An unusual download
might start automatically even without action by the users, causing Malware to be installed on
the device.

Now you will understand about Attack Surfaces!

What is an Attack Surface?

An attack surface represents any known, unknown or probable vulnerabilities across areas of
exposure such as

Software
Hardware
Network,
User.
To reduce risk, the attack surface needs to be decreased.

Attack Surfaces - Software and Hardware

Software attack surface
Comprises applications, services, configurations, executables, dll's, web pages available to
authorized users.
Designed to point to vulnerabilities, that can cause anything from a minor annoyance to a
system crash.
Software vulnerabilities include Buffer overflows, code injection etc.

Hardware attack surface

Hardware can also create an avenue for attack, but physical access to the device is required.
Hardware attacks can be accomplished through a network communication connection as well.
Hardware vulnerabilities includes items that users install such as software or plug-in flash
drives.

Network attack surface

includes exposure to channels, protocols, devices, applications, ports and interfaces.

Network attack surface could be reduced by:

ensuring only required features are enabled

closure of unnecessary ports
implementation of intrusion prevention systems
firewalls.
User attack surface

Weakest channel among all is Users.

can be tracked and prevented, by logging and auditing.

Quick Fact
With the invention of new technologies like Cloud, Mobile computing, and Internet of Things
(IOT), the attack surface continues to grow.

All attack surfaces must be tracked, monitored and checked.

Cybersecurity Threat is a scenario which will try to exploit possible vulnerabilities to breach
security thus impacting ongoing business.

It is very critical, due to increasing

Exposure to Internet
Growth of wireless technology
Evolution of various smart devices (Internet of Things)
Example Scenario: Hacker or cyber criminal may want to hack bank accounts or collect
personal information and even lock or encrypt your data for exploitation.

Classification of Threats
Malicious: A Hacker or disgruntled employee who is interested in specific Asset or information
only.

Non-Malicious: Attack that happens due to neglected factors like compromising with security.

This could impact a person or Business to:

Compromise of information: Information theft, retrieval of discarded materials.

Compromise of functions: Error in its function and abusing rights.​

Intrusion Phases
Hacker works towards his objectives by planning/performing a set of activities. Example:
exfiltration. Network intrusion happens in a phased manner.

1. Reconnaissance- Continuous search for identification of possible targets.

2. Weaponize- Malware Pairing with a deliverable. Example: MS-office.

3. Delivery- Transmit the weapon to identified target. Example: e-mail, websites.

4. Exploitation- Exploiting vulnerable system apps. Example: Triggering a weapon code.

5. Installation- Backdoor Installation for persistent access.

6. Command and control - Hands-on keyboard access required for weapon communication.

Advanced Preventive Threats (APT)

Kind of a network attack, where an unauthorized person gains access to a network and remains
there undetected for a long duration.
The intention purely is to steal data rather damage network or organization.
Few Characteristics of APT:

Tend to be highly customizedto a specific target.

Deployment is semi-automated and operates in a low and slow manner to remain unnoticed.
Have specific objectives depending upon the source of the attack, which may change over time.
Infiltrate to hide and then continue its operation.
Take command and control to provide customized malware updates.
Botmaster threat
Most of the Cyberattacks are being automated or semi-automated by a specific or group of
Botmasters.

Cyberattack usually starts with a known URL address then by scanning around their LAN or
internet space it can exploit all its associated vulnerable systems also.

Threat Modelling
Threat Modelling is a process of securing web/mobile applications or any assets by determining
the effective security controls and measurements.

Considerations
Identify Security Objectives - Is an application required to be available as per agreed Service
Level Agreement (SLA).
Survey the Application - analyze and identify components, data flow and trust boundaries (UML
component diagram).
Decompose it - identify the features and modules with a security impact (how a module validate
and processes the data before storing it).
Identify Threats and Vulnerabilities - Attacker who understands your internal process is a huge
threat.

Assessment and Management

Static analysis: Static or Code Analysis is performed by dissecting the different resources of the
binary file without executing it and studying each component. Example: Analysis using Machine
or Assembly code.

Dynamic analysis: Dynamic or Behavioral analysis is done by observing the behavior of the
malware and is often performed in a sandbox-virtual environment to prevent the malware from
actually infecting production systems.

Threat Management is the best practice for managing cyber threats that enables early
identification of vulnerabilities using data-driven situational analysis.

Threat analytics manual and automated intelligence data collection.

Behavioral modeling Real-time monitoring.
Advanced analytics to provide situational Awareness.

Quick Fact
In June 2007, US officials disclosed that hackers broke into the Pentagon through a directed
attack on elements of the email system and called it the most successful cyberattack at that time
on the US Defense Department.

Risk Mitigation
Reduce risks by preventing cyber-attacks using various security related tools, policies, best
practices and guidelines available with latest technologies.

STRIDE - a threat classification model that helps to limit the potential false positives threat. This
model is used to help reason and find threats to a system.

Spoofing - of valid user identity

Tampering - Misusing the end user read/write access.
Repudiation - False denial of origin or receipt.
Information disclosure - data/information leak.
Denial of Service - Resources unavailable to its intended users.
Elevation of privilege - exploiting a bug to gain admin access

Mitigation Steps
i) Classify Assets - Classify information assets with regard to their business significance.

ii) Stay Informed - IT and security teams need to stay updated on the latest threat attacks.

iii) Effective Controls - It is critical so along with Continuous monitoring control is required.

iv) Governance and Reporting - Inform senior management of cybersecurity policies and control
mechanisms.

Cyber Threat Hunting - Prediction

Cyber threat hunting is a proactive process to predict potential risks efficiently using:

Big data analytics can be used to detect long and slow Advanced Persistent Threats.
Machine-learning and UEBA - User entity and Behavior Analytics.
Intelligence feeds - Threat intelligence feeds, malware analysis and vulnerability scans.

Threat Intelligence
Threat intelligence is required at:

1. Strategic level - Research analysis and reports. Example: Duqu 2.0 reportfrom Kaspersky
published as a result of malware analysis.

2. Tactical level - Information exchange between operating communities. Example: FS-ISACis

an intelligence-sharing community for the banking industry.

3. Operational level - Real-time feed protocols are used within a community. Example: STIX
TAXII protocol.

Cybersecurity Architecture
Cybersecurity architecture is all about understanding one's Business Scope, requirements` and
then design and develop a security architecture to implement and support it.

To capture complete business security architecture picture you have to find answers for

What
Why
How
Who
Where
When
under required logical and operational components.

Architecture Risk and Controls

Risks

Security Architecture should identify and protect against Risks, for effective management, it
should be a continuous operational activity.
Example: For maintaining minimum 98% agreed SLA, you can define the security control
parameter SLA at 98.5% for taking appropriate
actions when needed to avoid penalty risk.

Controls

In Security Architecture Control definition, you are not advised to set one parameter, so we have
to define controls at the different stages to detect and avoid possible threats.
Example: For better control, you can define five levels of SLA security controls each from 98.9
to 98.5 respectively along with action points.

SABSA Framework
Sherwood Applied Business Security Architecture (SABSA) framework is an open source
framework used to create Enterprise Security Architecture.

A risk-driven method based on the analysis of the business requirements

The primary objective is to protect business with the required level of security.

Commonly represented as 6X6 SABSA matrix.

6X6 SABSA matrix are divided into four 3X3 matrices for better representation.
In the Architecture framework part, a Business considers its

Security policies
Risk
Process
Control
Attributes
Information
Strategies

Before designing security architecture, you should identify and define role-based privileges for
associates working in different locations as per the required timeline.

In Security Architecture designing phase, you should consider physical and operational
components like data structure, model, standard practices, product tools and required support
services.

Finally, user interface and applications should provide security platform support to all identified
operational schedules and its corresponding business functions.

Quick Fact
In 2016, Data breach happened in few Indian banks, around 3.2 million debit cards from SBI,
HDFC Bank, ICICI, YES Bank and Axis Bank were compromised.

Banks worked further to improve on Security architecture model.

Managing Identity
For Managing user identities and access rights, map according to their required business roles
and responsibilities.

One of the advanced capability of access management is single sign-on that automatically log in
the user throughout the session after their initial successful login.

Example: In TCS, for active learners, SSO-login happens from iEvolve to Skillsoft website
(External Content vendor) for smooth learning experience.

Monitoring and Prevention

Monitoring part of security architecture includes various detection tools to monitor for intrusions
of malware and throw alerts by

Reviewingof security-related events and

Logging of security-related events.
Preventive mechanism can exist in the firewall, mail servers or at any endpoint devices.

Incident Management
Incident is an event that may lead to business operational disruption.
Incident management is a set of activities performed to

Prepare
Identify
Analyze
Solve issues to prevent future incidents.
You will understand more about Incidents in this section.

Prepare, Detect, and Analyze

Preparation

Involves training the incident response team after establishing required tools, processes and
resources.
Incidents must be prioritized based on the Business impact.

Detection and Analysis

A continuous process that often requires as much intuition as intelligence for detecting any
Malware intrusion and their remote connections.
Many incidents require further investigations to find the source and reasons of attack along with
containment and eradication of affected and vulnerable systems for recovery activities.

1. Preparation - Involve the team and define the required procedures for guidance.

2. Detection and Analysis - Work on incidents that require further investigations to find the
source and reasons of attack.

3. Containment, Eradication and Recovery - Take control of the incident before it gets worse,
then remove and recover the affected system securely.

4. Post-Incident activities - Document the learning outcome along with the required measures
and controls.

Quick Fact
A cyber-security breach occurred between May - July 2017 in U.S Equifax Inc.

Cyber attackers had accessed approximately 145.5 million U.S. Equifax consumers data
including their full names, Social Security numbers, credit card information, birth dates,
addresses and driver license numbers.

Incident Response Maturity Assessment Tool

Crest UK has developed open source tool, Incident response maturity assessment, which is a
spreadsheet-based tool used to assess organization's readiness for its response to cyber
attack.

It follows three phases such as

Prepare
Response and
Follow-up

Incident Response
Preparation
Conduct a critical assessment of your organization.
Carry-out a security threat analysis from practical incidents.
Consider the implication of people, process, technology and information.
Create appropriate control framework
Review your state of readiness.
Response
Identify cybersecurity incident.
Define Objectives and investigate the situation.
Take appropriate pre-approved or required actions.
Recover systems data and connectivity.

Post-Incident Activities
The below are the recommended Incident response activities:

Follow-up
Investigate incidents more thoroughly.
Report Incident to relevant stakeholders.
Carry out a Post-Incident review.
Update key information, controls and processes.
Perform trend analysis.
Communicate and share the lessons learned.

Incident Category
Incident Category can be defined according to business priorities ranging from their testing
incidents to any unauthorized attack.

Precursor shows us the incident may occur. Example: Flight cabin crew alarm would be a
precursor to any Airline Incident.

Indicator shows us the incident may have occurred. Example: Indication for breaching minimum
required SLA%.
Critical Decision Point
The responsive challenge is that maintaining the optimum balance between

under responsive(being vulnerable) and

over responsive(risk of false alarm).

Deep packet inspection can be used to give more context to the precursor or indicator.

If an indicator has turned into an incident, prioritization is perhaps the most critical decision point
in the incident handling process.

User Authentication is a process that allows a device to check the identity and authenticity of a
person who needs to connect to a network resource.

When authenticating into a system, you use any one of the three things:

Password (simple and inexpensive)

Smart card or a token
Biometric, such as a fingerprint, iris recognition, or voice recognition.
Explore more about User Authentication in this section.

Password - The Secret Word!

Password authenticates and allows access to the system.

Being mere sequence of characters, passwords are prone to security issues. Steps should be
taken to create strong passwords.

The following are few ways for creating strong passwords:

Length of at least eight characters.

Combination of upper or lowercase letters, numbers, punctuation marks, and symbols.
Using passphrase for an even stronger password. For example, LetsGototheba!!park

Smart Card - Shrunken World

Smart card is a small credit card sized card with an embedded chip, containing information
about the user.

User Information like credit and buying inclination, loyalty program data, and even medical
information are captured in the smart card.

It could as well as store identification data such as fingerprints and passwords and can be used
as a security token. It contains encryption keys used for data encryption systems.

Used for access control. Some examples such as:

Employee access and ID badges.

Membership cards for nightclubs.
VIP access cards.
Banking cards used to store currency for purchases

Smart Card for Multifactor Authentication

Smart cards are generally used as part of a multifactor authentication solution.

Scenario :
User swipes the card into the smart card reader.

The card implements multiple forms of authentication such as a password or biometric identifier.
The smart card processes the data, which eliminates the need for data to be transmitted to
another machine. It helps to reduce the threat of data theft.
Now you will have detailed look at Biometric Authentication in the next topic.

Biometric Authentication
Biometrics authenticate, by using an individual's unique attributes or behavior.

Of course, most expensive way to prove identity. Biometrics recognize an individual by checking
the captured biometric with the stored biometric template in the system.

Biometrics are divided into two categories:

Behavioral Trait based on a person's action such as walking, signature or voice.

Physiological Biometrics based on measurements of parts of the body such as Hand, face,
fingerprint, or iris.
These are used in multifactor authentication systems.

For example, you would place your fingerprint on a sensor and then put your pin in (multifactor
authentication).

Biometrics - Explained

Biometrics could essentially last for a lifetime. Simplifies access control on devices and
networks.
Behavioral:

Gait - is a newer biometric. This is the way someone walks and we can capture that gait from a
distance.
Signature - This is the way someone signs, the pressure of the stroke and curves.
Voice Recognition - recognizes who is speaking, the inflection, and the patterns of their speech.
But it is different from speech recognition.
Physiological:

Hand geometry - is one of the first biometrics and measures each finger and the hands as a
whole.
Facial recognition - A camera scans the face and it identifies key indicators, the nose, the
forehead, and the cheeks.
Iris recognition - identifies the colored portion of the eye and the patterns of an iris are very
unique.
Biometrics would be of more use in future.

Introducing RADIUS
One of the methods used for access control for external users is Remote Authentication Dial-In
User Service (RADIUS)

RADIUS Security is being used to:

Authenticate clients and determine who they are.

Authorize what clients can and cannot do on a network.
Monitor and record activity on the network with Accounting.
An extension of RADIUS, called TACACS, Terminal-Access Controller Access Control System,
very similar to RADIUS.

Access control for routers, network access servers, and other networked computing devices are
provided by it.

Email
Email is among the most commonly used communication tool for personal and business use.

Emails

pose a high-security risk.

include abusive - which includes junk mail and spam.
Forging email addresses takes place when an email is sent via malware, including viruses and
worms, spammers, and phishing attacks.
All abusive email has a fake sender address, simply hide a sender's true address, as being
anonymous is the key to effectively impersonating an identity in order to obtain passwords or
personal data.

In this section, you will understand more about Email Security Threats.
Email client becomes victim of a number of malicious activities introduced via email. Different
types include:

Spam

Spam is a term used for unwanted or abusive email.

Flooding an email system with multiple messages that are unwanted.
Spam targets email recipients with direct mail messages.
A spammer's goal is to reach as many recipients as possible with the intention that some might
respond.

Spoofing

One of the techniques used, while sending spam email.

Hides the real entity. When one looks at an email's From: field appears legitimate, but it
generally is not.

Email Security Threats

Phishing

Someone spoofs their identity and casting a wide net to many recipients.
Recipients are generally redirected to a fake website, where they might be asked to enter
personal information or even on a click, might download a virus.
Pharming

Related to phishing; however, it uses malicious code.

Redirects users to fake websites and uses a technique called DNS cache poisoning.

Quick Fact
50% of recipients open emails and click on phishing links within the first hour of being sent.

Phishing emails include fake notifications from banks, e-payment systems, email providers,
social networks, online games, etc.

Defense Mechanisms
60% of emails received in an organization are marked as spam every year.

Email can carry a wide variety of extensions. Malware protection recognizes these extensions
as possible threats and is quarantined.

Scripts embedded within the email and can run when a user opens the email and completes
some malicious act.
Defense Mechanism
What should you do to defend yourself?

Use caution when opening emails.

Check before you click a link in an email, if you're really not sure.
Simply delete if you suspect
Use an anti-virus, with the virus definitions updated using real-time protection.
Do not share your password.

Firewall plays a vital role in Network Security.

A firewall is a hardware or software based method that controls incoming and outgoing data
traffic based on a set of guidelines that either permit or deny traffic on a network or host.

Firewalls should be used in every network as they monitor threats.

Classes of Firewall
Class 1 - Host-based software firewall used on a laptop or desktop computer.

Class 2 - Router firewall that generally provides straightforward firewall features. They are not
used in an enterprise network for security reasons, as they cannot withstand aggressive attacks.

Class 3 - Low-end hardware firewall. These are best for small businesses, as they have unified
threat management, with anti-virus and anti-spyware capabilities.

Class 4 - High-end hardware firewalls. They are great for small and mid-size businesses as they
provide edge protection and critical infrastructure environments without reducing performance.

Class 5 - High-end server firewalls used when the stakes are high and is built for high
throughput requirements.
Network Access Protection
A network device without updated patches and an active firewall, can incur a significant risk to
the corporate network.

Network access protection is a framework that uses a Network Policy Server. The Network
Policy Server stores the health policies and checks the health of computers. There are three
policies that are supported.

Connection requests - determines whether requests from RADIUS clients are handled by the
Network Policy Server or by another RADIUS server.

Network policies - defines whether the connection is authorized or rejected.

Health policies - defines the conditions that must be met in order to connect.

Now in this respect do you know what is a VLAN? Let's take you through it now.

VLAN - Virtual Local Area Network

A VLAN or virtual local area network eliminates the physical barricade and treats the host as
part of the same subnet while creating smaller broadcast domains.

VLANs offer a number of advantages over traditional LANs.

Simplified Administration - When a computer is reallocated, it can still be part of the same VLAN
without any hardware reconfiguration.

Performance - By reducing broadcast and multicast, and creating Broadcast Domain using
switches instead of routers.

Network Address Translation (NAT)

Now that you have learned about VPNs, you will understand how Network address
translation(NAT) works. It operates on a router, and converts private IP addresses to a public IP
address, and vice versa.

You will have a look at the Network Address Translation Concept now.

What is a Honeypot?
A Honeypot is a system set up to lure an attacker, to learn about attack methodologies to better
protect the real network, and to gather evidence of intruders.

Placement of a Honeypot depends on your objectives:

inside LAN
in DMZ (demilitarized zone)
or outside as a tasty treat for an attacker.
Best would be to keep it in DMZ, because even though this is a fake system, they are
essentially part of your network.

Key factor to be considered is to put interesting data in the system that could appear to be a
valuable target since it is part of an intrusion detection system, but the main focus is on
gathering information.

In line with this, now you will go through few Network Monitoring Tools in the next section!

Network Monitoring Tools

WireShark is an interactive network protocol analyzer and capture utility.

Used to examine the details of traffic at a variety of levels ranging from connection-level
information to the bits that make up a single packet.

Tcpdump is an open source command-line tool for monitoring network traffic.

Captures and displays packet headers matching them against a set of criteria.

Network Monitoring Tools

Syslog stands for System Logging Protocol and is a standard protocol used to send system log
or event messages to a specific server, called a syslog server.
It is primarily used to collect various device logs from several different machines in a central
location for monitoring and review. The protocol is enabled on most network equipment such as
routers, switches, firewalls, and even some printers and scanners.