Cybersecurity Foundation

The modern threat landscape continues to evolve and has become more complex and dangerous than ever before. Risks to the enterprise today include new and emerging attack techniques and vectors, accidental data loss and data theft, an ever-expanding network and cloud perimeter, and regulatory non-compliance penalties and other consequences.

Industry trends such as Bring Your Own Apps/Device (BYOA/BYOD), cloud computing, consumerization, mobile computing, software-defined networking and storage, and virtual data centers further complicate modern network security challenges. As a result, many basic tenets of network security – traditional concepts such as defense-in-depth and perimeter-based security – must also evolve to address these challenges.

Knowledge Objectives

Describe the cybersecurity landscape including modern computing trends, application frameworks and threat vectors, cloud computing and software as a service (SaaS) application challenges, information security and data protection regulations and standards, and recent cyberattacks.
Discuss cyberthreats including attacker motivations and the Cyber-Attack Lifecycle.
Describe endpoint security challenges and solutions.
Describe cyber-attack techniques and types including malware, vulnerabilities, exploits, spamming, phishing, bots, and botnets.
Discuss Wi-Fi and advanced threats including Wi-Fi vulnerabilities, Wi-Fi man-in-the middle attacks, distributed denial-of-service (DDoS) attacks, and advanced persistent threats (APTs).

Cybersecurity Landscape

The modern cybersecurity landscape is a rapidly evolving, hostile environment fraught with advanced threats and increasingly sophisticated threat actors. This section describes computing trends that are shaping the cybersecurity landscape, application frameworks and threat vectors, cloud computing and SaaS application security challenges, various information security and data protection regulations and standards, and some recent cyber-attack examples.

Modern computing trends

Note: The terms "enterprise" and "business" are used throughout this guide to describe organizations, networks, and applications in general. The use of these terms is not intended to exclude other types of organizations, networks, or applications, and should be understood to include not only large businesses and enterprises, but also small and medium-size businesses (SMBs), government, state-owned enterprises (SOEs), public services, military, healthcare, and nonprofits, among others.

The nature of enterprise computing has changed dramatically over the past decade. Core business applications are now commonly installed alongside Web 2.0 "apps" on a variety of endpoints, and networks that were originally designed to share files and printers are now used to collect massive volumes of data, exchange real-time information, transact online business, and enable global collaboration.

Key Terms:

Web 2.0 is a term popularized by Tim O'Reilly and Dale Dougherty that unofficially refers to a new era of the World Wide Web, which is characterized by dynamic or user-generated content, interaction, and collaboration, and the growth of social media.

An endpoint is a computing device such as a desktop or laptop computer, handheld scanner, point-of-sale (POS) terminal, printer, satellite radio, security or videoconferencing camera, self-service kiosk, server, internet of things (IoT) device or sensor (such as a smart meter, smart appliance, wearable device, or autonomous vehicle), smart TV, smartphone, tablet, or Voice over Internet Protocol (VoIP) phone. Although endpoints can include servers and network equipment, the term is generally used to describe end-user devices.

Similarly, Web 3.0 will transform the enterprise computing landscape over the next decade and beyond. Web 3.0, as defined on ExpertSystem.com, is characterized by five main features:

Semantic web. "The semantic web improves web technologies in order to generate, share and connect through search and analysis based on the ability to understand the meaning of words, rather than on keywords and numbers."
Artificial intelligence. "…computers can understand information like humans in order to provide faster and more relevant results."
3D graphics. 3D design is "…used extensively in websites and services."
Connectivity. "…information is more connected thanks to semantic metadata. As a result, the user experience evolves to another level of connectivity that leverages all the available information."
Ubiquity. "Content is accessible by multiple applications, every device is connected to the web, [and] the services can be used everywhere."

Many Web 2.0 apps are available as software as a service (SaaS), web-based, or mobile apps that can be easily installed by end users, or can be run without installing any local programs or services on the endpoint. The use of Web 2.0 apps in the enterprise is sometimes referred to as Enterprise 2.0, although not all Web 2.0 apps are considered to be Enterprise 2.0 applications.

Key Terms:

Software as a service (SaaS) is a cloud computing service model, defined by the U.S. National Institute of Standards and Technology (NIST), in which "the capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings."
Enterprise 2.0 is a term introduced by Andrew McAfee and defined as "the use of emergent social software platforms within companies, or between companies and their partners or customers."

Typical core business applications include:

Accounting software is used to process and record accounting data and transactions such as accounts payable, accounts receivable, payroll, trial balances, and general ledger (GL) entries. Examples of accounting software include Intacct, Microsoft Dynamics AX and GP, NetSuite, Quickbooks, and Sage.
Business intelligence (BI) and business analytics software consists of tools and techniques used to surface large amounts of raw unstructured data from a variety of sources (such as data warehouses and data marts). BI and business analytics software performs a variety of functions, including business performance management, data mining, event processing, and predictive analytics. Examples of BI and analytics software include IBM Cognos, MicroStrategy, Oracle Hyperion, and SAP.
Content management systems (CMS) and enterprise content management (ECM) systems are used to store and organize files from a central management interface, with features such as indexing, publishing, search, workflow management, and versioning. Examples of CMS and ECM software include EMC Documentum, HP Autonomy, Microsoft SharePoint, and OpenText.
Customer relationship management (CRM) software is used to manage an organization's customer (or client) information including lead validation, past sales, communication and interaction logs, and service history. Examples of CRM suites include Microsoft Dynamics CRM, Salesforce.com, SugarCRM, and ZOHO.
Database management systems (DBMS) are used to administer databases including the schemas, tables, queries, reports, views, and other objects that comprise a database. Examples of DBMS software include Microsoft SQL Server, MySQL, NoSQL, and Oracle Database.
Enterprise resource planning (ERP) systems provide an integrated view of core business processes such as product and cost planning, manufacturing or service delivery, inventory management, and shipping and payment. Examples of ERP software include NetSuite, Oracle JD Edwards EnterpriseONE and PeopleSoft, and SAP.
Enterprise asset management (EAM) software is used to manage an organization's physical assets throughout their entire lifecycle including acquisition, upgrade, maintenance, repair, replacement, decommissioning, and disposal. EAM is commonly implemented as an integrated module of ERP systems. Examples of EAM software include IBM Maximo, Infor EAM, and SAP.
Supply chain management (SCM) software is used to manage supply chain transactions, supplier relationships, and various business processes such as purchase order processing, inventory management, and warehouse management. SCM software is commonly integrated with ERP systems. Examples of SCM software include Fishbowl Inventory, Freightview, Infor Supply Chain Management, and Sage X3.
Web content management (WCM) software is used to manage website content including administration, authoring, collaboration, and publishing. Examples of web content management software include Drupal, IBM FileNet, Joomla, and WordPress.

Common Web 2.0 apps and services (many of which are also SaaS apps) include:

File sync and sharing services are used to manage, distribute, and provide access to online content, such as documents, images, music, software, and video. Examples include Apple iCloud, Box, Dropbox, Google Drive, Microsoft OneDrive, Spotify, and YouTube.
Instant messaging (IM) is used to exchange short messages in real-time. Examples include Facebook Messenger, Skype, Snapchat, and WhatsApp.
Microblogging web services allow a subscriber to broadcast short messages to other subscribers. Examples include Tumblr and Twitter.
Office productivity suites consist of cloud-based word processing, spreadsheet, and presentation software. Examples include Google Apps and Microsoft Office 365.
Remote access software is used for remote sharing and control of an endpoint, typically for collaboration or troubleshooting purposes. Examples include Ammyy Admin, LogMeIn, and TeamViewer.
Social curation shares collaborative content about a particular topic(s) or theme(s). Social bookmarking is a type of social curation. Examples include Cogenz, Instagram, Pinterest, and Reddit.
Social networks are used to share content with business or personal contacts. Examples include Facebook, Google+, and LinkedIn.
Web-based email is an internet email service that is typically accessed via a web browser. Examples include Gmail, Outlook.com, and Yahoo! Mail.
Wikis enable users to contribute, collaborate, and edit site content. Examples include Socialtext and Wikipedia.

According to research from McKinsey & Company and the Association for Information and Image Management (AIIM), many organizations are recognizing significant benefits from the use of Enterprise 2.0 applications and technologies including better collaboration, increased knowledge sharing, and reduced expenses (for example, for travel, operations, and communications). Thus, enterprise infrastructures (systems, applications, and networks) are rapidly converging with personal and Web 2.0 technologies and apps, making definition of where the internet begins and the enterprise infrastructure ends practically impossible. This convergence is being driven by several important trends including:

Cloud computing. The popularity of cloud computing service models in general, and SaaS application services in particular, continues to surge. According to a January 2018 McKinsey and Company article, even though adoption of the public cloud has been limited to date, the outlook is markedly different. Just 40 percent of the companies studied have more than 10 percent of their workloads on public-cloud platforms; in contrast, 80 percent plan to have more than 10 percent of their workloads in publiccloud platforms in three years or plan to double their cloud penetration.
Consumerization. The process of consumerization occurs as end users increasingly find personal technology and apps that are more powerful or capable, more convenient, less expensive, quicker to install, and easier to use than enterprise IT solutions.
Bring your own device (BYOD). Closely related to consumerization is BYOD, a policy trend in which organizations permit end users to use their own personal devices, primarily smartphones and tablets, for work-related purposes. BYOD relieves organizations from the cost of providing equipment to employees, but creates a management challenge because of the vast number and type of devices that must be supported.
Bring your own apps (BYOA). Web 2.0 apps on personal devices are increasingly being used for work-related purposes. As the boundary between work and personal lives becomes less distinct, end users are practically demanding that these same apps be available to them in their workplaces.
Mobile computing. The appetite for rapid, on-demand access to apps and data from anywhere, at any time, on any device is insatiable. There are now more than 4.4 billion smartphone subscriptions worldwide, and total mobile monthly data traffic (including audio, file sharing, social networking, software uploads and downloads, video, web browsing, and other sources) in the third quarter of 2017 was about 14 exabytes!

Organizations are often unsure of the potential business benefits – and the inherent risks – of these trends, and therefore either:

Implicitly allow personal technologies and apps by simply ignoring their use in the workplace, or
Explicitly prohibit their use, but are then unable to effectively enforce such policies with traditional firewalls and security technologies

Whether personal technologies and apps are implicitly allowed (and ignored) or explicitly prohibited (but not enforced), the adverse results of ineffective policies include:

Lost productivity because users must either find ways to integrate these unsupported technologies and apps (when allowed) with the enterprise infrastructure, or use applications that are unfamiliar to them or less efficient (when personal technologies and apps are prohibited)
Potential disruption of critical business operations because of underground or backchannel processes that are used to accomplish specific workflow tasks or to circumvent controls, and are known to only a few users and are fully dependent on their use of personal technologies and apps
Exposure to additional risks for the enterprise due to unknown – and therefore unpatched – vulnerabilities in personal technologies and apps, and a perpetual cat-andmouse game between employees that circumvent controls (for example, with external proxies, encrypted tunnels, and remote desktop applications) and security teams that manage these risks
Penalties for regulatory non-compliance, for example, the E.U. General Data Protection Regulation (GDPR), the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS)

As these trends continue to blur the distinction between the internet and the enterprise network, new security challenges and risks emerge, including:

New application threat vectors
Turbulence in the cloud
SaaS application risks

New application framework and threat vectors

Next-generation firewalls (NGFWs) disrupted the traditional port-based and Unified Threat Management firewalls by capitalizing on the advances in hardware parallel processing to quickly inspect all network traffic and provide better attack prevention capability. It's true that NGFWs have provided much improved protection for on-site physical networks, but now a new cloud-based application consumption model is revolutionizing the way organizations do business. In this new model, applications such as Microsoft Office 365 can now be consumed and updated through cloud networks with no additional on-premises infrastructure. Attackers also are constantly innovating, and organizations must be able to rapidly evaluate and deploy new capabilities that detect and prevent successful cyberattacks in a highly agile, automated way, without deploying new infrastructure that needs to be purchased (capital expenditure) and managed (operating expenditure). To contend with these changes, a new framework to provide cybersecurity protection is needed. This new framework will likely disrupt the traditional point-based cybersecurity protection model. The new framework will have to leverage innovation and entrepreneurship, big data, machine learning, and advances in cloud technology to provide superior security with high consistency.

Beyond managing the risks associated with a relatively limited, known set of core applications that are authorized and supported in the enterprise, security teams must now manage the risks associated with an ever-increasing number of unknown personal technologies and apps that may be used in the organization.

Classification of applications as either "good" (allowed) or "bad" (blocked) in a clear and consistent manner has also become increasingly difficult. Many applications are clearly good (low risk, high reward) or clearly bad (high risk, low reward), but most are somewhere in between – depending on how the application is being used.

For example, many organizations use social networking applications such as Facebook for important business functions such as recruiting, research and development, marketing, and consumer advocacy. However, these same applications can be used to leak sensitive information or cause damage to an organization's public image – whether inadvertently or maliciously.

Many applications are designed to circumvent traditional port-based firewalls (discussed in Section 2.6.1), so that they can be easily installed and accessed on any device, anywhere and anytime, using techniques such as:

Port hopping, in which ports and protocols are randomly changed during a session
Use of non-standard ports, such as running Yahoo! Messenger over TCP port 80 (HTTP) instead of the standard TCP port for Yahoo! Messenger (5050)
Tunneling within commonly used services, such as when peer-to-peer (P2P) file sharing or an instant messenger (IM) client such as Meebo is running over HTTP
Hiding within SSL encryption, which masks the application traffic, for example, over TCP port 443 (HTTPS). More than half of all web traffic is now encrypted

Many traditional client-server business applications are also being redesigned for web use, and employ these same techniques for ease of operation while minimizing disruptions. For example, remote procedure call (RPC) and Microsoft SharePoint both use port hopping because it is critical to how the protocol or application (respectively) functions, rather than as a means to evade detection or enhance accessibility.

Key Terms:

Remote procedure call (RPC) is an inter-process communication (IPC) protocol that enables an application to be run on a different computer or network, rather than the local computer on which it is installed.
An attack (or threat) vector is a path or tool that an attacker uses to target a network.

Applications can also be hijacked and repurposed by malicious actors, such as was done in the 2014 Heartbleed attack. According to an April 2014 Palo Alto Networks article:

"[T]he story of Heartbleed's impact has been focused on the compromise of HTTPSenabled websites and web applications, such as Yahoo!, Google, Dropbox, Facebook, online banking, and the thousands of other vulnerable targets on the web. These are of huge impact, but those sites will all be updated quickly….

"For security professionals, [the initial Heartbleed attack] is only the tip of the iceberg. The vulnerability puts the tools once reserved for truly advanced threats into the hands of the average attacker – notably, the ability to breach organizations, and move laterally within them. Most enterprises of even moderate size do not have a good handle on what services they are running internally using SSL encryption. Without this baseline knowledge, it is extremely difficult for security teams to harden their internal attack surface against the credential and data stealing tools Heartbleed enables. All footholds for the attacker with an enterprise network are suddenly of equal value."

As new applications are increasingly web-enabled and browser-based, HTTP and HTTPS now account for about two-thirds of all enterprise network traffic. Traditional port-based firewalls and other security infrastructure cannot distinguish whether these applications, riding on HTTP and HTTPS, are being used for legitimate business purposes.

Thus, applications (including malware) have become the predominant attack vector to infiltrate networks and systems.

Turbulence in the cloud

Cloud computing technologies enable organizations to evolve their data centers from a hardware-centric architecture where applications run on dedicated servers to a dynamic and automated environment where pools of computing resources are available on-demand, to support application workloads that can be accessed anywhere, anytime, and from any device.

However, many organizations have been forced into significant compromises regarding their public and private cloud environments — trading function, visibility, and security, for simplicity, efficiency, and agility. If an application hosted in the cloud isn't available or responsive, network security controls, which all too often introduce delays and outages, are typically "streamlined" out of the cloud design. Cloud security trade-offs often include

Simplicity or function
Efficiency or visibility
Agility or security

Many of the features that make cloud computing attractive to organizations also run contrary to network security best practices. For example:

Cloud computing doesn't mitigate existing network security risks. The security risks that threaten your network today don't go away when you move to the cloud. The shared responsibility model defines who (customer and/or provider) is responsible for what (related to security) in the public cloud. In general terms, the cloud provider is responsible for security "of" the cloud, including the physical security of the cloud data centers, and for foundational networking, storage, compute, and virtualization services. The cloud customer is responsible for security "in" the cloud, which is further delineated by the cloud service model. For example, in an infrastructure-as -a-service (IaaS) model, the cloud customer is responsible for the security of the operating systems, middleware, run time, applications, and data. In a platform-as-a-service (PaaS) model, the cloud customer is responsible for the security of the applications and data – the cloud provider is responsible for the security of the operating systems, middleware, and run time. In a SaaS model, the cloud customer is responsible only for the security of the data, and the cloud provider is responsible for the full stack, from the physical security of the cloud data centers to the application.
Separation and segmentation are fundamental to security; the cloud relies on shared resources. Security best practices dictate that mission-critical applications and data be separated in secure segments on the network, based on Zero Trust principles (discussed in Section 2.4.2). On a physical network, Zero Trust is relatively straightforward, using firewalls and policies based on application and user identity. In a cloud environment, direct communication between virtual machines (VMs) within a server host occurs constantly — in some cases, across varied levels of trust, thus making segmentation a real challenge. Mixed levels of trust, combined with a lack of intra-host traffic visibility by virtualized port-based security offerings, may weaken your security posture.
Security deployments are process-oriented; cloud computing environments are dynamic. The creation or modification of your cloud workloads can often be done in minutes, yet the security configuration for this workload may take hours, days, or weeks. Security delays aren't designed to be burdensome; they're the result of a process that is designed to maintain a strong security posture. Policy changes need to be approved, the appropriate firewalls need to be identified, and the relevant policy updates need to be determined. In contrast, the cloud is a highly dynamic environment, with workloads being added, removed, and changed rapidly and constantly. The result is a disconnect between security policy and cloud workload deployments, which leads to a weakened security posture. Thus, security technologies and processes must be able to auto scale to take advantage of the elasticity of the cloud while maintaining a strong security posture.

SaaS application risks

Data is located everywhere in today's enterprise networks, including many locations that are not under the organization's control. New data security challenges emerge for organizations that permit SaaS usage in their networks.

With SaaS applications, data is often stored where the application resides – in the cloud. Thus, the data is no longer under the organization's control, and visibility is often lost. SaaS vendors do their best to protect the data in their applications, but it is ultimately not their responsibility. Just as in any other part of the network, the IT team is responsible for protecting and controlling the data, regardless of its location.

Because of the nature of SaaS applications, their use is very difficult to control – or have visibility into – once the data leaves the network perimeter. This lack of control presents a significant security challenge: End users are now acting as their own "shadow" IT department, with control over the SaaS applications they use and how they use them. But they have little or no understanding of the inherent data exposure and threat insertion risks of SaaS, including:

Malicious outsiders. The most common source of breaches for networks overall is also a critical concern for SaaS security. The SaaS application becomes a new threat vector and distribution point for malware used by external adversaries. Some malware will even target the SaaS applications themselves, for example, by changing their shares to "public" so the data can be retrieved by anyone.
Accidental data exposure. Well-intentioned end users are often untrained and unaware of the risks their actions pose in SaaS environments. Because SaaS applications are designed to facilitate easy sharing, it's understandable that data often becomes unintentionally exposed. Accidental data exposure by end users is surprisingly common and includes:
Accidental share: A share meant for a particular person is accidently sent to the wrong person or group. Accidental shares are common when a name auto fills, or is mistyped, which may cause an old email address or the wrong name, group, or even an external user, to have access to the share.
Promiscuous share: A legitimate share is created for a user, but that user then shares with other people who shouldn't have access. Promiscuous shares often result in the data being publicly shared because it can go well beyond the control of the original owner.
Ghost (or stale) share: A share remains active for an employee or vendor that is no longer working with the company, or should no longer have access. Without visibility and control of the shares, the tracking and fixing of shares to ensure they are still valid is very difficult.
Malicious insiders. The least common but real SaaS application risk is the internal user who maliciously shares data for theft or revenge purposes. For example, an employee who is leaving the company might set a folder's share permissions to "public," or share it with an external email address to later steal the data from a remote location.

Compliance and security are not the same

A rapidly and ever-increasing number of international, multinational, federal, regional, state, and local laws and regulations mandate numerous cybersecurity and data protection requirements for businesses and organizations worldwide. Various industry directives, such as the Payment Card Industry's Data Security Standard (PCI DSS), also establish their own cybersecurity standards and best practices for businesses and organizations operating under their purview.

This complex regulatory environment is further complicated by the fact that many laws and regulations are obsolete, ambiguous, not uniformly supported by international communities, and/or inconsistent (with other applicable laws and regulations), thus requiring legal interpretation to determine relevance, intent, and/or precedence. As a result, businesses and organizations in every industry struggle to achieve and maintain compliance.

You should understand that compliance and security are not the same thing. An organization can be fully compliant with the various cybersecurity laws and regulations that are applicable for that organization, yet still not be secure. Conversely, an organization can be secure, yet not be fully compliant. As if to underscore this point, the compliance and security functions in many organizations are separate.

Pertinent examples (neither comprehensive nor exhaustive) of current cybersecurity laws and regulations include:

Canada Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA defines individual rights with respect to the privacy of their personal information, and governs how private sector organizations collect, use, and disclose personal information in the course of business.
European Union (EU) General Data Protection Regulation (GDPR). The GDPR applies to any organization that does business with EU citizens. It strengthens data protection for E.U. citizens and addresses the export of personal data outside the EU.
EU Network and Information Security (NIS) Directive: An EU directive that imposes network and information security requirements for banks, energy companies, healthcare providers and digital service providers, among others.
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP). NERC CIP defines cybersecurity standards to protect the physical and cyber assets necessary to operate the Bulk Electric System (BES) – the "power grid" – in the United States and Canada. The standards are mandatory for all BES-generating facilities with different criteria based on a tiered classification system (high, medium, or low impact).
Payment Card Industry Data Security Standards (PCI DSS). PCI DSS applies to any organization that transmits, processes, or stores payment card (such as debit and credit cards) information. PCI DSS is mandated and administered by the PCI Security Standards Council (SSC) comprising Visa, MasterCard, American Express, Discover, and JCB.
U.S. Cybersecurity Enhancement Act of 2014. This act provides an ongoing, voluntary public-private partnership to improve cybersecurity and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness.
U.S. Cybersecurity Information Sharing Act (CISA). This act enhances information sharing about cybersecurity threats by allowing internet traffic information to be shared between the U.S. government and technology and manufacturing companies.
U.S. Federal Exchange Data Breach Notification Act of 2015. This act further strengthens HIPAA by requiring health insurance exchanges to notify individuals whose personal information has been compromised as the result of a data breach as soon as possible, but no later than 60 days after breach discovery.
U.S. Federal Information Security Modernization Act (FISMA). Known as the Federal Information Security Management Act prior to 2014, FISMA implements a comprehensive framework to protect information systems used in federal government agencies.
U.S. Gramm-Leach-Bliley Act (GLBA). Also known as the Financial Services Modernization Act of 1999, relevant provisions of GLBA include the Financial Privacy Rule and the Safeguards Rule, which require financial institutions to implement privacy and information security policies to safeguard the nonpublic personal information of clients and consumers.
U.S. Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information. It requires appropriate safeguards for protected health information (PHI) and applies to covered entities and their business associates.
U.S. National Cybersecurity Protection Advancement Act of 2015. This act amends the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthens privacy and civil liberties protections.
U.S. Sarbanes-Oxley (SOX) Act. This act was enacted to restore public confidence following several high-profile corporate accounting scandals, most notably Enron and Worldcom, SOX increases financial governance and accountability in publicly traded companies. Section 404 of SOX specifically addresses internal controls, including requirements to safeguard the confidentiality, integrity, and availability of IT systems.

Key Terms:

Protected health information (PHI) is defined by HIPAA as information about an individual's health status, provision of healthcare, or payment for healthcare that includes identifiers such as names, geographic identifiers (smaller than a state), dates, phone and fax numbers, email addresses, Social Security numbers, medical record numbers, or photographs.
A covered entity is defined by HIPAA as a healthcare provider that electronically transmits PHI (such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies), a health plan (such as a health insurance company, health maintenance organization, company health plan, or government program including Medicare, Medicaid, military and veterans' healthcare), or a healthcare clearinghouse.

Recent high-profile cyber-attack examples

Thousands of cyberattacks are perpetrated against enterprise networks every day.

Unfortunately, many more of these attacks succeed than are typically reported in mass media. Recent high-profile examples of such attacks include:

Target. In late 2013, Target discovered that credit card data and debit card data from 40 million of its customers, and the personal information of an additional 70 million of its customers, had been stolen over a period of about 19 days, from November 27 to December 15, 2013. The attackers were able to infiltrate Target's Point of Sale (POS) systems by installing malware (believed to be a variant of the ZeuS financial botnet) on an HVAC (heating, ventilation, and air conditioning) contractor's computer systems to harvest credentials for an online portal used by Target's vendors. Target's 2016 annual report disclosed that the total cost of the breach was US$292 million.
Home Depot. In September 2014, Home Depot suffered a data breach that went unnoticed for about five months. As with the Target data breach (see the previous attack example), the attackers used a vendor's credentials and exploited a zero-day threat, based on a Windows vulnerability, to gain access to Home Depot's network. Memory scraping malware was then installed on more than 7,500 self-service POS terminals to collect 56 million customer credit card numbers throughout the United States and Canada. Home Depot's 2016 annual report disclosed that the total cost of the breach was US$298 million.
Anthem. In February 2015, Anthem disclosed that its servers had been breached and Personally Identifiable Information (PII) including names, Social Security numbers, birthdates, addresses, and income information for about 80 million customers had been stolen. The breach occurred on December 10, 2014, when attackers compromised an Anthem database using a database administrator's credentials. The breach wasn't found until January 27, 2015, when the database administrator discovered a questionable query being run with his credentials. The total cost of the breach is expected to reach US$31 billion.
U.S. Office of Personnel Management (OPM). Two separate data breaches discovered in April 2015 and June 2015 resulted in the compromise of personal information including names, Social Security numbers, birthdates, and other sensitive information of about 24 million current and prospective federal employees (along with their spouses and partners). The breaches are believed to have been linked to the Anthem data breach (see the previous attack example) and may have originated in China as early as March 2014. By some estimates, the total cost of the breach could exceed US$1 billion over the next decade.
Yahoo! While in negotiations to sell itself to Verizon in September 2016, Yahoo! announced it had been the victim of a data breach in 2014, likely by a "state-sponsored actor." The attack compromised the real names, email addresses, birthdates, and phone numbers of about 500 million users and is the largest data breach to date. Yahoo! said the vast majority of the passwords involved had been hashed using the robust bcrypt algorithm. As a direct result of the breach, Yahoo! reduced its sale price to Verizon by US$350 million.
Equifax. In July 2017, Equifax discovered a data breach that had exploited an unpatched security vulnerability (Apache Struts CVE-2017-5638 published March 10, 2017). From mid-May to July 2017, cybercriminals compromised various personal information of nearly 148 million U.S. consumers (as of March 2018), including passport and driver's license data, and Social Security numbers. The total cost of the breach at the end of 2017 was US$439 million and could ultimately exceed US$600 million.

Important lessons to be learned from these attacks include:

A "low and slow" cyberattack can go undetected for weeks, months, or even years.
An attacker doesn't necessarily need to run a sophisticated exploit against a hardened system to infiltrate a target organization. Often, an attacker will target an auxiliary system or other vulnerable endpoint, then pivot the attack toward the primary target.
Unpatched vulnerabilities are a commonly exploited attack vector.
The direct and indirect financial costs of a breach can be devastating for both the targeted organization and individuals whose personal and financial information is stolen or compromised.

Key Terms:

A zero-day threat is the window of vulnerability that exists from the time a new (unknown) threat is released until security vendors release a signature file or security patch for the threat.
Personally Identifiable Information (PII) is defined by the U.S. National Institute of Standards and Technology (NIST) as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity… and (2) any other information that is linked or linkable to an individual…."

Examples of PII include:

Name (such as full name, maiden name, mother's maiden name, or alias)
Personal identification number (such as Social Security number, passport number, driver's license number, and financial account number or credit card number)
Address information (such as street address or email address)
Asset information (such as IP or MAC address)
Telephone numbers (such as mobile, business, and personal numbers)
Personal characteristics (such as photographs, x-rays, fingerprints, and biometric data)
Information about personally owned property (such as vehicle registration number or title information)
Information that is linked or linkable to any of the above (such as birthdate, birthplace, race, religion, height, weight, and employment, medical, education, and financial records)

Cyberthreats

This section describes cybersecurity adversaries – the various threat actors, their motivations, and the cyber-attack strategy.

Attacker profiles and motivations

In The Art of War, Sun Tzu teaches "know thy enemy, know thy self. A thousand battles, a thousand victories" (translated in various forms) to instill the importance of understanding the strengths, weaknesses, strategies, and tactics of your adversary as well as you know your own. Of course, in modern cyber warfare a thousand battles can occur in a matter of seconds and a single victory by your enemy can imperil your entire organization. Thus, knowing your enemies – including their means and motivations – is more important than ever.

In the relatively innocuous "good ol' days" of hackers and script kiddies, the primary motivation for a cyberattack was notoriety, and the attack objective was typically limited to defacing or "owning" a website to cause inconvenience and/or embarrassment to the victim.

Key Terms:

The term hacker was originally used to refer to anyone with highly specialized computing skills, without connoting good or bad purposes. However, common misuse of the term has redefined a hacker as someone that circumvents computer security with malicious intent, such as a cybercriminal, cyberterrorist, or hacktivist, cracker, and/or black hat.
A script kiddie is someone with limited hacking and/or programming skills that uses malicious programs (malware) written by others to attack a computer or network.

Modern cyberattacks are perpetrated by far more sophisticated and dangerous adversaries, motivated by far more sinister purposes:

Cybercriminals. Acting independently or as part of a criminal organization, cybercriminals commit acts of data theft, embezzlement, fraud, and/or extortion for financial gain. According to the RAND Corporation, "In certain respects, the black market [for cybercrime] can be more profitable than the illegal drug trade," and by many estimates, cybercrime is now a US$1 trillion industry.
State-affiliated groups. Sponsored by or affiliated with nation-states, these organizations have the resources to launch very sophisticated and persistent attacks, have great technical depth and focus, and are well funded. They often have military and/or strategic objectives such as the ability to disable or destroy critical infrastructure including power grids, water supplies, transportation systems, emergency response, and medical and industrial systems. The Center for Strategic and International Studies reports that "At the nation-state level, Russia, Iran, and North Korea are using coercive cyberattacks to increase their sphere of influence, while China, Russia and Iran have conducted reconnaissance of networks critical to the operation of the U.S. power grid and other critical infrastructure without penalty."
Hacktivists. Motivated by political or social causes, hacktivist groups (such as Anonymous) typically execute denial-of-service (DoS) attacks against a target organization by defacing their websites or flooding their networks with traffic.
Cyberterrorists. Terrorist organizations use the internet to recruit, train, instruct, and communicate, and to spread fear and panic to advance their ideologies. Unlike other threat actors, cyberterrorists are largely indiscriminate in their attacks and their objectives include physical harm, death, and destruction.

External threat actors including organized crime, state-affiliated groups, activists, former employees, and other unaffiliated or otherwise unknown attackers account for the majority of data breaches. Internal threat actors are responsible for about 28 percent of reported data breaches.

Modern cyber-attack strategy

Modern cyber-attack strategy has evolved from a direct attack against a high-value server or asset ("shock and awe") to a patient, multi-step process that blends exploits, malware, stealth, and evasion in a coordinated network attack ("low and slow").

The Cyber-Attack Lifecycle (see Figure 1-1) illustrates the sequence of events that an attacker goes through to infiltrate a network and exfiltrate (or steal) valuable data. Blocking of just one step breaks the chain and can effectively defend an organization's network and data against an attack.

Figure 1-1: The Cyber-Attack Lifecycle

Reconnaissance. Like common criminals, attackers meticulously plan their cyberattacks. They research, identify, and select targets, often extracting public information from targeted employees' social media profiles or from corporate websites, which can be useful for social engineering and phishing schemes. Attackers will also use various tools to scan for network vulnerabilities, services, and applications that they can exploit, such as:
1. Network analyzers (also known as packet analyzers, protocol analyzers, or packet sniffers) are used to monitor and capture raw network traffic (packets). Examples include tcpdump and Wireshark (formerly Ethereal).
2. Network vulnerability scanners typically consist of a suite of tools including password crackers, port scanners, and vulnerability scanners and are used to probe a network for vulnerabilities (including configuration errors) that can be exploited. Examples include Nessus and SAINT.
3. Password crackers are used to perform brute-force dictionary attacks against password hashes. Examples include John the Ripper and THC Hydra.
4. Port scanners are used to probe for open TCP or UDP (including ICMP) ports on an endpoint. Examples include Nmap ("network mapper") and Nessus.
5. Web application vulnerability scanners are used to scan web applications for vulnerabilities such as cross-site scripting, SQL injection, and directory traversal. Examples include Burp Suite and OWASP Zed Attack Proxy (ZAP).
6. Wi-Fi vulnerability scanners are used to scan wireless networks for vulnerabilities (including open and misconfigured access points), to capture wireless network traffic, and to crack wireless passwords. Examples include Aircrack-ng and Wifite.
7. Breaking the Cyber-Attack Lifecycle at this phase of an attack begins with proactive and effective end-user security awareness training that focuses on topics such as social engineering techniques (for example, phishing, piggybacking, and shoulder surfing), social media (for example, safety and privacy issues), and organizational security policies (for example, password requirements, remote access, and physical security). Another important countermeasure is continuous monitoring and inspection of network traffic flows to detect and prevent unauthorized port and vulnerability scans, host sweeps, and other suspicious activity. Effective change and configuration management processes help to ensure that newly deployed applications and endpoints are properly configured (for example, disabling unneeded ports and services) and maintained.
Weaponization. Next, attackers determine which methods to use to compromise a target endpoint. They may choose to embed intruder code within seemingly innocuous files such as a PDF or Microsoft Word document or email message. Or, for highly targeted attacks, attackers may customize deliverables to match the specific interests of an individual within the target organization.
1. Breaking the Cyber-Attack Lifecycle at this phase of an attack is challenging because weaponization typically occurs within the attacker's network. However, analysis of artifacts (both malware and weaponizer) can provide important threat intelligence to enable effective zero-day protection when delivery (the next step) is attempted.
Delivery. Attackers next attempt to deliver their weaponized payload to a target endpoint, for example, via email, instant messaging (IM), drive-by download (an end user's web browser is redirected to a webpage that automatically downloads malware to the endpoint in the background), or infected file share.
1. Breaking the Cyber-Attack Lifecycle at this phase of an attack requires visibility into all network traffic (including remote and mobile devices) to effectively block malicious or risky websites, applications, and IP addresses, and preventing known and unknown malware and exploits.
Exploitation. After a weaponized payload is delivered to a target endpoint, it must be triggered. An end user may unwittingly trigger an exploit, for example, by clicking a malicious link or opening an infected attachment in an email, or an attacker may remotely trigger an exploit against a known server vulnerability on the target network.
1. Breaking the Cyber-Attack Lifecycle at this phase of an attack, as during the
2. Reconnaissance phase, begins with proactive and effective end-user security awareness training that focuses on topics such as malware prevention and email security. Other important security countermeasures include vulnerability and patch management, malware detection and prevention, threat intelligence (including known and unknown threats), blocking risky, unauthorized, or unneeded applications and services, managing file or directory permissions and root or administrator privileges, and logging and monitoring network activity.
Installation. Next, an attacker will escalate privileges on the compromised endpoint, for example, by establishing remote shell access and installing root kits or other malware. With remote shell access, the attacker has control of the endpoint and can execute commands in privileged mode from a command line interface (CLI), as if physically sitting in front of the endpoint. The attacker will then move laterally across the target's network, executing attack code, identifying other targets of opportunity, and compromising additional endpoints to establish persistence.
1. The key to breaking the Cyber-Attack Lifecycle at this phase of an attack is to limit or restrict the attackers' lateral movement within the network. Use network segmentation and a Zero Trust model that monitors and inspects all traffic between zones or segments, and granular control of applications that are allowed on the network.
Command and Control. Attackers establish encrypted communication channels back to command-and-control (C&C) servers across the internet so that they can modify their attack objectives and methods as additional targets of opportunity are identified within the victim network, or to evade any new security countermeasures that the organization may attempt to deploy if attack artifacts are discovered. Communication is essential to an attack because it enables the attacker to remotely direct the attack and execute the attack objectives. C&C traffic must therefore be resilient and stealthy for an attack to succeed. Attack communication traffic is usually hidden with various techniques and tools including:
1. Encryption with SSL, SSH (Secure Shell), or some other custom or proprietary encryption.
2. Circumvention via proxies, remote access tools, or tunneling. In some instances, use of cellular networks enables complete circumvention of the target network for attack C&C traffic.
3. Port evasion using network anonymizers or port hopping to traverse over any available open ports.
4. Fast Flux (or Dynamic DNS) to proxy through multiple infected endpoints or multiple ever-changing C&C servers to reroute traffic, and make determination of the true destination or attack source difficult.
5. Breaking the Cyber-Attack Lifecycle at this phase of an attack requires inspection of all network traffic (including encrypted communications), blocking of outbound C&C communications with anti-C&C signatures (along with file and data pattern uploads), blocking of all outbound communications to known malicious URLs and IP addresses, blocking of novel attack techniques that employ port evasion methods, prevention of the use of anonymizers and proxies on the network, monitoring of DNS for malicious domains and countering with DNS sinkholing or DNS poisoning, and redirection of malicious outbound communications to honeypots to identify or block compromised endpoints and analyze attack traffic.
Actions on the Objective. Attackers often have multiple, different attack objectives including data theft; destruction or modification of critical systems, networks, and data; and denial-of-service (DoS). This last stage of the Cyber-Attack Lifecycle can also be used by an attacker to advance the early stages of the Cyber-Attack Lifecycle against another target. The 2018 Verizon Data Breach Investigations Report (DBIR) describes this strategy as a secondary motive in which "[web applications] are compromised to aid and abet in the attack of another victim." For example, an attacker may compromise a company's extranet to breach a business partner that is the primary target. According to the DBIR, in 2014 there were 23,244 "incidents where web applications were compromised with a secondary motive." The attacker pivots the attack against the initial victim network to a different victim network, thus making the initial victim an unwitting accomplice.

Endpoint security basics

Most organizations deploy several security products to protect their endpoints, including personal firewalls, Host-based Intrusion Prevention Systems (HIPS), mobile device management (MDM), mobile application management (MAM), data loss prevention (DLP), and antivirus software. Nevertheless, cyber breaches continue to increase in frequency, variety, and sophistication. Faced with the rapidly changing threat landscape, traditional endpoint security solutions and antivirus can no longer prevent security breaches on the endpoint.

Endpoint security is an essential element of cybersecurity because the network firewall cannot completely protect hosts from zero-day exploits. Zero-day exploits target unknown vulnerabilities in operating system and application software on host machines. Network firewalls may not be able to block an attacker's delivery of a zero-day exploit until a new signature identifying the zero-day attack has been developed and delivered to the firewall.

Network firewalls also may be restricted from decrypting all traffic because of regulations and laws. This restriction provides a window of opportunity for attackers to bypass a firewall's protection and exploit a host machine, necessitating endpoint security protection. Endpoint security protection is provided by an application that runs on the host machine. Effective endpoint security must be able to stop malware, exploits, and ransomware before they can compromise the host; provide protection while endpoints are online and offline; and detect threats and automate containment to minimize impact.

Cyber-attack Techniques and Types

Attackers use a variety of techniques and attack types to achieve their objectives. Malware and exploits are integral to the modern cyber-attack strategy. Spamming and phishing are commonly employed techniques to deliver malware and exploits to an endpoint via an email executable or a web link to a malicious website. Once an endpoint is compromised, an attacker typically installs back doors, remote access Trojans, and other malware to ensure persistence. Compromised endpoints ("bots") under the control of an attacker are often used to perpetrate much larger-scale attacks against other organizations or networks as part of a botnet. This section describes different types of malware, vulnerabilities, and exploits; email spamming and phishing techniques; and how bots and botnets function, along with different types of botnets.

Key Terms:

Malware is malicious software or code that typically takes control of, collects information from, or damages an infected endpoint. Malware broadly includes viruses, worms, Trojan horses (including remote access Trojans, or RATs), ransomware, anti-AV, logic bombs, back doors, rootkits, bootkits, spyware, and (to a lesser extent) adware.
An exploit is a small piece of software code, part of a malformed data file, or a sequence (string) of commands that leverages a vulnerability in a system or software, causing unintended or unanticipated behavior in the system or software.
A vulnerability is a bug or flaw that exists in a system or software, and creates a security risk.

Malware

Malware is malicious software or code that typically takes control of, collects information from, or damages an infected endpoint. Malware broadly includes:

Viruses: Malware that is self-replicating but must first infect a host program and be executed by a user or process
Worms: Malware that typically targets a computer network by replicating itself to spread rapidly. Unlike viruses, worms do not need to infect other programs and do not need to be executed by a user or process.
Trojan horses: Malware that is disguised as a harmless program, but actually gives an attacker full control and elevated privileges of an endpoint when installed. Unlike other types of malware, Trojan horses are typically not self-replicating.
Ransomware: Malware that locks a computer or device (Locker ransomware) or encrypts data (Crypto ransomware) on an infected endpoint with an encryption key that only the attacker knows, thereby making the data unusable until the victim pays a ransom (usually cryptocurrency, such as Bitcoin). Reveton and LockeR are two examples of Locker ransomware. Locky, TeslaCrypt/EccKrypt, Cryptolocker, and Cryptowall are examples of Crypto ransomware.
Anti-AV: Malware that disables legitimately installed antivirus software on the compromised endpoint, thereby preventing automatic detection and removal of other malware
Logic bombs: Malware that is triggered by a specified condition, such as a given date or a particular user account being disabled
Back doors: Malware that allows an attacker to bypass authentication to gain access to a compromised system
Rootkits: Malware that provides privileged (root-level) access to a computer. Rootkits are installed in the BIOS of a machine, which means operating system-level security tools cannot detect them.
Bootkits: Malware that is a kernel-mode variant of a rootkit, commonly used to attack computers that are protected by full-disk encryption
Spyware and adware: Malware that collects information, such as internet surfing behavior, login credentials, and financial account information on an infected endpoint. Spyware often changes browser and other software settings, and slows computer and internet speeds on an infected endpoint. Adware is spyware that displays annoying advertisements on an infected endpoint, often as popup banners.

Early malware typically consisted of viruses that displayed annoying – but relatively benign – errors, messages, or graphics.

The first computer virus was Elk Cloner, written in 1982 by a ninth-grade high school student near Pittsburgh, Pennsylvania. Elk Cloner was a relatively benign boot sector virus that displayed a poem on the fiftieth time that an infected floppy disk was inserted into an Apple II computer.

The first PC virus was a boot sector virus, written in 1986, called Brain. Brain was also relatively benign and displayed a message with the actual contact information for the creators of the virus. Brain was written by two Pakistani brothers who created the virus so that they could track piracy of their medical software.

One of the first computer worms to gain widespread notoriety was the Morris worm, written by a Harvard and Cornell University graduate student, Robert Tappan Morris, in 1988. The worm exploited weak passwords and known vulnerabilities in several Unix programs and spread rapidly across the early internet (the worm infected up to an estimated 10 percent of all Unix machines connected to the internet at that time – about 6,000 computers), sometimes infecting a computer numerous times to the point that it was rendered useless – an example of an early DoS attack. The U.S. Government Accountability Office (GAO) estimated the damage caused by the Morris worm between US$100,000 and US$10 million.

Key Terms:

A boot sector virus targets the boot sector or master boot record (MBR) of an endpoint's storage drive or other removable storage media.
A boot sector contains machine code that is loaded into an endpoint's memory by firmware during the startup process, before the operating system is loaded.
A master boot record (MBR) contains information about how the logical partitions (or file systems) are organized on the storage media, and an executable boot loader that starts up the installed operating system.
A floppy disk is a removable magnetic storage medium commonly used from the mid-1970s until about 2007, when it was largely replaced by compact discs and removable USB storage devices. Floppy disks were typically available in 8-inch,

5¼-inch, and 3½-inch sizes with capacities from 90 kilobytes to 200 megabytes.

Unfortunately, more than 35 years since these early examples of malware, modern malware has evolved and is used for far more sinister purposes. Examples of modern malware include:

WannaCry. In a period of just 24 hours in May 2017, the WannaCry ransomware attack infected more than 230,000 vulnerable Windows computers in more than 150 countries worldwide. Although the attack was quickly halted after the discovery of a "kill switch," the total economic damage is estimated between hundreds of millions to as much as US$4 billion, despite the perpetrators collecting only 327 ransom payments totaling about US$130,000.
HenBox. HenBox typically masquerades as legitimate Android system and VPN apps, and sometimes embeds legitimate apps. The primary goal of the HenBox apps appears to be to spy on those who install them. By using similar traits as legitimate apps, for example, copycat iconography and app or package names, HenBox lures victims into installing the malicious apps, especially when available on so-called third-party (that is, non-Google Play) app stores that often have fewer security and vetting procedures for the apps they host. As with other Android malware, some apps may also be available on forums or file-sharing sites, or even may be sent to victims as email attachments.
TeleRAT. Telegram Bots are special accounts that do not require an additional phone number to set up and are generally used to enrich Telegram chats with content from external services or to get customized notifications and news. TeleRAT abuses Telegram's Bot API for C&C and data exfiltration.
Rarog. Rarog is a cryptocurrency-mining Trojan that has been sold on various underground forums since June 2017 and has been used by countless criminals since then. Rarog has been primarily used to mine the Monero cryptocurrency. However, it can mine others. It comes equipped with several features, including providing mining statistics to users, configuring various processor loads for the running miner, the ability to infect USB devices, and the ability to load additional DLLs on the victim. Rarog provides an affordable way for new criminals to gain entry into this particular type of malware.

Key Terms:

A dynamic-link library (DLL) is a type of file used in Microsoft operating systems that enables multiple programs to simultaneously share programming instructions contained in a single file to perform specific functions.

Modern malware is typically stealthy and evasive, and now plays a central role in a coordinated attack against a target (see Section 1.2.2).

Advanced malware leverages networks to gain power and resilience, and can be updated — just like any other software application — so that an attacker can change course and dig deeper into the network or make changes and enact countermeasures.

This is a fundamental shift compared to earlier types of malware, which were generally independent agents that simply infected and replicated themselves. Advanced malware increasingly has become a centrally coordinated, networked application in a very real sense. In much the same way that the internet changed what was possible in personal computing, ubiquitous network access is changing what is possible in the world of malware. Now, all malware of the same type can work together toward a common goal, with each infected endpoint expanding the attack foothold and increasing the potential damage to the organization.

Important characteristics and capabilities of advanced malware include:

Distributed, fault-tolerant architecture. Advanced malware takes full advantage of the resiliency built into the internet itself. Advanced malware can have multiple control servers distributed all over the world with multiple fallback options, and can also leverage other infected endpoints as communication channels, thus providing a near infinite number of communication paths to adapt to changing conditions or update code as needed.
Multi-functionality. Updates from C&C servers can also completely change the functionality of advanced malware. This multifunctional capability enables an attacker to use various endpoints strategically to accomplish specific desired tasks such as stealing credit card numbers, sending spam containing other malware payloads (such as spyware), or installing ransomware for the purpose of extortion.
Polymorphism and metamorphism. Some advanced malware has entire sections of code that serve no purpose other than to change the signature of the malware, thus producing an infinite number of unique signature hashes for even the smallest of malware programs. Techniques such as polymorphism and metamorphism are used to avoid detection by traditional signature-based anti-malware tools and software. For example, a change of just a single character or bit of the file or source code completely changes the hash signature of the malware.
Obfuscation. Advanced malware often uses common obfuscation techniques to hide certain binary strings that are characteristically used in malware and therefore are easily detected by anti-malware signatures, or to hide an entire malware program.

Key Terms:

Polymorphism alters part of the malware code with every iteration, such as the encryption key or decryption routine, but the malware payload remains unchanged.
Metamorphism uses more advanced techniques than polymorphism to alter malware code with each iteration. Although the malware payload changes with each iteration – for example, by using a different code structure or sequence, or by inserting garbage code to change the file size – the fundamental behavior of the malware payload remains unchanged.
A hash signature is a cryptographic representation of an entire file or program's source code.
Obfuscation is a programming technique used to render code unreadable. It can be implemented using a simple substitution cipher, such as an exclusive or (XOR) operation, in which the output is true only when the inputs are different (for example, TRUE and TRUE equals FALSE, but TRUE and FALSE equals TRUE), or more sophisticated encryption algorithms such as the Advanced Encryption Standard (AES). Alternatively, a packer can be used to compress a malware program for delivery, then decompress it in memory at run time.

Vulnerabilities and exploits

An exploit is a type of malware that takes advantage of a vulnerability in installed endpoint or server software such as a web browser, Adobe Flash, Java, or Microsoft Office. An attacker crafts an exploit that targets a software vulnerability, causing the software to perform functions or execute code on behalf of the attacker.

Vulnerabilities are routinely discovered in software at an alarming rate. Vulnerabilities may exist in software when the software is initially developed and released, or vulnerabilities may be inadvertently created, or even reintroduced, when subsequent version updates or security patches are installed. According to research by Palo Alto Networks, 78 percent of exploits take advantage of vulnerabilities that are less than two years old.

Security patches are developed by software vendors as quickly as possible after a vulnerability has been discovered in their software. However, an attacker may learn of a vulnerability and begin exploiting it before the software vendor is aware of the vulnerability or has an opportunity to develop a patch. This delay between the discovery of a vulnerability and development and release of a patch is known as a zero-day threat (or exploit). It may be months or years before a vulnerability is announced publicly. After a security patch becomes available, time inevitably is required for organizations to properly test and deploy the patch on all affected systems. During this time, a system running the vulnerable software is at risk of being exploited by an attacker (see Figure 1-2).

Figure 1-2: Vulnerabilities can be exploited from the time software is deployed until it is patched

Exploits can be embedded in seemingly innocuous data files (such as Microsoft Word documents, PDFs, and webpages), or they can target vulnerable network services. Exploits are particularly dangerous because they are often packaged in legitimate files that do not trigger anti-malware (or antivirus) software and are therefore not easily detected.

Creation of an exploit data file is a two-step process. The first step is to embed a small piece of malicious code within the data file. However, the attacker still must trick the application into running the malicious code. Thus, the second part of the exploit typically involves memory corruption techniques that allow the attacker's code to be inserted into the execution flow of the vulnerable software. Once that happens, a legitimate application, such as a document viewer or web browser, will perform actions on behalf of the attacker, such as establishing communication and providing the ability to upload additional malware to the target endpoint. Because the application being exploited is a legitimate application, traditional signature-based antivirus and whitelisting software have virtually no effectiveness against these attacks.

Although there are many thousands of exploits, they all rely on a small set of core techniques that change infrequently. For example, a heap spray is an attempt to insert the attacker's code into multiple locations within the memory heap, hoping that one of those locations will be called by the process and executed. Some attacks may involve more steps, some may involve fewer, but typically three to five core techniques must be used to exploit an application.

Regardless of the attack or its complexity, for the attack to be successful, the attacker must execute a series of these core exploit techniques in sequence, like navigating a maze to reach its objective (see Figure -3).

Figure 1-3: Exploits rely on a series of core attack techniques to succeed

Key Terms:

Heap spray is a technique used to facilitate arbitrary code execution by injecting a certain sequence of bytes into the memory of a target process.
Spear phishing is a targeted phishing campaign that appears more credible to its victims by gathering specific information about the target, and thus has a higher probability of success. A spear phishing email may spoof an organization (such as a financial institution) or individual that the recipient actually knows and does business with, and may contain very specific information (such as the recipient's first name, rather than just an email address). According to Symantec's 2018 Internet Security Threat Report, "Spear-phishing emails emerged as by far the most widely used infection vector, employed by 71 percent of [140 known targeted attack] groups."
Whaling is a type of spear phishing attack that is specifically directed at senior executives or other high-profile targets within an organization. A whaling email typically purports to be a legal subpoena, customer complaint, or other serious matter.

Spear phishing, and phishing attacks in general, are not always conducted via email. A link is all that is required, such as a link on Facebook or on a message board, or a shortened URL on Twitter. These methods are particularly effective in spear phishing attacks because they allow the attacker to gather a great deal of information about the targets and then lure them through dangerous links into a place where the users feel comfortable.

Watering hole attacks compromise websites that are likely to be visited by a targeted victim, for example, an insurance company website that may be frequently visited by healthcare providers. The compromised website will typically infect unsuspecting visitors with malware (known as a "drive-by-download"). Watering hole attacks are the second most popular infection vector for targeted attack groups (24 percent), according to Symantec.

A pharming attack redirects a legitimate website's traffic to a fake site, typically by modifying an endpoint's local hosts file or by compromising a DNS server ("DNS poisoning").

Key Terms:

Spear phishing is a highly targeted phishing attack that uses specific information about the target to make the phishing attempt appear legitimate.
Whaling is a type of spear phishing attack that is specifically directed at senior executives or other high-profile targets within an organization.
Watering hole attacks compromise websites that are likely to be visited by a targeted victim to deliver malware via a drive-by-download. A drive-bydownload is a software download, typically malware, that happens without a user's knowledge or permission.
Pharming is a type of attack that redirects a legitimate website's traffic to a fake site.

Bots and botnets

Bots and botnets are notoriously difficult for organizations to detect and defend against using traditional anti-malware solutions.

Key Terms:

Bots (or zombies) are individual endpoints that are infected with advanced malware that enables an attacker to take control of the compromised endpoint.
A botnet is a network of bots (often tens of thousands or more) working together under the control of attackers using numerous C&C servers.

In a botnet, advanced malware works together toward a common objective, with each bot growing the power and destructiveness of the overall botnet. The botnet can evolve to pursue new goals or adapt as different security countermeasures are deployed. Communication between the individual bots and the larger botnet through C&C servers provides resiliency in the botnet (see Figure 1-4).

Figure 1-4: The distributed C&C infrastructure of a botnet

Given their flexibility and ability to evade defenses, botnets present a significant threat to organizations. The ultimate impact of a botnet is largely left up to the attacker, from sending spam one day to stealing credit card data the next – and far beyond, as many cyberattacks go undetected for months or even years.

Botnets themselves are dubious sources of income for cybercriminals. Botnets are created by cybercriminals to harvest computing resources (bots). Control of botnets (through C&C servers) can then be sold or rented out to other cybercriminals.

The key to "taking down" or "decapitating" a botnet is to separate the bots (infected endpoints) from their brains (C&C servers). If the bots cannot get to their servers, they cannot get new instructions, upload stolen data, or do anything that makes botnets so unique and dangerous.

Although this approach may seem straightforward, extensive resources are typically required to map the distributed C&C infrastructure of a botnet, and this approach almost always requires an enormous amount of investigation, expertise, and coordination between numerous industry, security, and law enforcement organizations worldwide.

Disabling of C&C servers often requires both physically seizing the servers and taking ownership of the domain and/or IP address range associated with the servers. Very close coordination between technical teams, legal teams, and law enforcement is essential to disabling the C&C infrastructure of a botnet. Many botnets have C&C servers all over the world, and will specifically function in countries that have little or no law enforcement for internet crimes.

Further complicating takedown efforts is the fact that a botnet almost never relies on a single C&C server, but rather uses multiple C&C servers for redundancy purposes. Each server also is typically insulated by a variety of intermediaries to cloak the true location of the server. These intermediaries include P2P networks, blogs and social networking sites, and even communications that proxy through other infected bots. These evasion techniques make simply finding C&C servers a considerable challenge.

Most botnets are also designed to withstand the loss of a C&C server, meaning that the entire botnet C&C infrastructure must be disabled almost simultaneously. If any C&C server is accessible or any of the fallback options survive, the bots will be able to get updates, rapidly populate a completely new set of C&C servers, and the botnet will quickly recover. Thus, even a single C&C server remaining functional for even a small amount of time can give an attacker the window needed to update the bots and recover the entire botnet.

According to a 2017 botnet threat report, Spamhaus Malware Labs identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet C&C servers on 1,122 different networks. Botnet C&C servers are used to control infected endpoints (bots) and to exfiltrate personal and/or valuable data from bots. Botnets can be easily scaled up to send massive volumes of spam, spread ransomware, launch DDoS attacks, commit click-fraud campaigns, and/or mine cryptocurrency (such as Bitcoin).

Spamming botnets

The largest botnets are often dedicated to sending spam. The premise is straightforward – the attacker attempts to infect as many endpoints as possible, and the endpoints can then be used to send out spam email messages without the end users' knowledge. The relative impact of this type of bot on an organization may seem low initially, but an infected endpoint sending spam could consume additional bandwidth and ultimately reduce the productivity of the user and even the network itself. Perhaps more consequential is the fact that the organization's email domain and IP addresses could also easily become listed by various real-time blackhole lists (RBLs), causing legitimate emails to be labeled as spam and blocked by other organizations, and damaging the reputation of the organization.

The Rustock botnet is an example of a spamming botnet. It could send up to 25,000 spam email messages per hour from an individual bot and, at its peak, sent an average of 192 spam emails per minute per bot. Rustock is estimated to have infected more than 2.4 million computers worldwide. In March 2011, the U.S. Federal Bureau of Investigation (FBI), working with Microsoft and others, was able to take down the Rustock botnet, which had operated for more than five years and at the time was responsible for sending up to 60 percent of the world's spam.

DDoS botnets

A distributed denial-of-service (DDoS) attack is a type of cyberattack in which extremely high volumes of network traffic such as packets, data, or transactions are sent to the target victim's network to make their network and systems (such as an e-commerce website or other web application) unavailable or unusable. A DDoS botnet uses bots as part of a DDoS attack, overwhelming a target server or network with traffic from a large number of bots. In such attacks, the bots themselves are not the target of the attack. Instead, the bots are used to flood some other remote target with traffic. The attacker leverages the massive scale of the botnet to generate traffic that overwhelms the network and server resources of the target.

Unlike other types of cyberattacks, a DDoS attack does not typically employ a prolonged, stealthy approach. Instead, a DDoS attack more often takes the form of a highly visible bruteforce attack that is intended to rapidly cause damage to the victim's network and systems infrastructure, and to their business and reputation.

DDoS attacks often target specific organizations for personal or political reasons, or to extort a ransom payment in exchange for stopping the DDoS attack. DDoS attacks are often used by hacktivists (discussed in Section 1.2.1) to promote or protest a particular political agenda or social cause. DDoS attacks may also be used for criminal extortion purposes to extract a hefty ransom payment in exchange for ending the attack.

DDoS botnets represent a dual risk for organizations: The organization itself can be the target of a DDoS attack, and even if the organization isn't the ultimate target, any infected endpoints participating in the attack will consume valuable network resources and facilitate a criminal act, albeit unwittingly.

A DDoS attack can also be used as part of a targeted strategy for a later attack. While the victim organization is busy defending against the DDoS attack and restoring the network and systems, the attacker can deliver an exploit to the victim network (for example, by causing a buffer overflow in a SQL database) that will enable a malware infection and establish a foothold in the network. The attacker can then return later to expand the (stealthy) attack and extract stolen data.

Examples of recent DDoS attacks include attacks against domain name registrars Melbourne IT and Dreamhost in April 2017 and August 2017, respectively. The UK National Lottery was targeted in September 2017. Electroneum, a cryptocurrency startup, was the victim of a DDoS attack just prior to the launch of its mobile mining app in November 2017. The Boston Globe was also targeted in November 2017, not only disrupting the bostonglobe.com website, but also the newspaper's telephones, editing system, and other company-owned websites.

Financial botnets

Financial botnets, such as ZeuS and SpyEye, are responsible for the direct theft of funds from all types of enterprises. These types of botnets are typically not as large as spamming or DDoS botnets, which grow as large as possible for a single attacker. Instead, financial botnets are often sold as kits that allow attackers to license the code and build their own botnets.

The impact of a financial breach can be enormous, including the breach of sensitive consumer and financial information leading to significant financial, legal, and brand damage. As reported by Tech Republic:

"A Mirai botnet variant was used in attacks against at least one financial sector company in January 2018—possibly the first time an IoT botnet has been observed in use in a DDoS attack since the Mirai botnet took down multiple websites in 2017, according to a Thursday report from Recorded Future."

Wi-Fi and Advanced Persistent Threats

This section describes Wi-Fi vulnerabilities and attacks, and advanced persistent threats (APTs).

Wi-Fi vulnerabilities

With the explosive growth in the number of mobile devices over the past decade, wireless (WiFi) networks are now everywhere. Whether you're in an office, hotel, airport, school, or coffee shop, you're likely in range of a Wi-Fi network somewhere.

Of course, as a security professional, your first concern when trying to get connected is "how secure is this Wi-Fi network?". But for the average user, the unfortunate reality is that Wi-Fi connectivity is more about convenience than security.

Thus, the challenge is to not only secure your Wi-Fi networks, but also to protect the mobile devices that your organization's employees use to perform work and access potentially sensitive data — no matter where they are or whose network they're on.

Wi-Fi security begins — and ends — with authentication. If you can't control who has access to your wireless network, then you can't protect your network.

Wired equivalent privacy

The wired equivalent privacy (WEP) protocol was the wireless industry's first attempt at security. As its name falsely implies, WEP was intended to provide data confidentiality equivalent to the security of a wired network. However, WEP had many well-known and wellpublicized weaknesses, and wasn't effective for establishing a secure wireless network. Today, WEP is not even an option in most wireless network configurations and, according to statistics from Kaspersky Security Network (KSN), WEP was used in about 3 percent of nearly 32 million Wi-Fi hotspots accessed by KSN users worldwide in 2016.

One critical weakness in WEP is in how it handles the initialization vector (IV) for WEP's RC4 (Rivest Cipher 4) stream cipher. In WEP, the IV is a 24-bit key that is transmitted in the clear (or unencrypted). With a 24-bit key, generation of unique values becomes impossible after sending 2^24 (or 16,777,216) packets, and the IVs will repeat. In a secure environment, the key should be replaced before exhausting the IVs, but you have no way to automate the process in WEP. Thus, given enough traffic, IV collisions will occur, which, in conjunction with other techniques, can help an attacker to deduce the WEP key.

A WEP key can be deduced by passively monitoring and examining the network traffic using a wireless network card in promiscuous mode. Passive monitoring leaves no indication that the wireless access point (AP) is under attack, because the attacker is doing nothing more than making copies of the packets on the network.

An attacker sending traffic directly to the target AP can reduce the time to break into a WEPenabled network from days to minutes, thus making WEP not much better than the 22 percent of open Wi-Fi networks worldwide in 2016.

Key Terms:

An initialization vector (IV) or nonce is a random number used only once in a session, in conjunction with an encryption key, to protect data confidentiality.
In computer networking, promiscuous mode refers to Ethernet hardware, typically a network interface card (NIC), that receives all traffic on a network segment, even if the traffic is not addressed to the hardware.
A wireless access point (AP) is a network device that connects to a router or wired network and transmits a Wi-Fi signal so that wireless devices can connect to a wireless (or Wi-Fi) network.

Attacks on WEP don't depend on having a massive amount of computing power and aren't greatly affected by the size of the encryption key. The attack isn't dependent on how complex the original passphrase is either. It's simply a matter of being able to collect enough traffic.

Once it became apparent that WEP had critical, unfixable security flaws, efforts took place immediately to develop a successor. Because a replacement for WEP was urgently needed, an interim standard, Wi-Fi Protected Access (WPA) was published in 2003. WPA was further refined as WPA2 in 2004, and WEP was then deprecated as a Wi-Fi security standard.

Wi-Fi Protected Access (WPA/WPA2/WPA3)

WPA was published as an interim standard in 2003, quickly followed by WPA2 in 2004. WPA/WPA2 contains improvements to protect against the inherent flaws in WEP. These improvements included changes to the encryption to avoid many of the problems that plagued WEP.

WPA2 can be implemented in different ways. WPA2-Enterprise, also known as WPA2-802.1x mode, uses the Extensible Authentication Protocol (EAP) and Remote Authentication Dial-In User Service (RADIUS) for authentication. Numerous EAP types are also available for use in WPA2-Enterprise.

However, the use of a pre-shared key (PSK) is by far the most common, particularly in homes, small businesses, and guest Wi-Fi networks. WPA2-PSK can be implemented with just the AP and the client, requiring neither a third-party 802.1x authentication server nor individual user accounts.

Key Terms:

The Extensible Authentication Protocol (EAP) is a widely used authentication framework that includes about 40 different authentication methods.
Remote Authentication Dial-In User Service (RADIUS) is a client-server protocol and software that enables remote access servers to communicate with a central server to authenticate users and authorize access to a system or service.
A pre-shared key (PSK) is a shared secret, used in symmetric key cryptography, that has been exchanged between two parties communicating over an encrypted channel.

WPA2-PSK supports 256-bit keys, which require 64 hexadecimal characters. Because requiring users to enter a 64-hexadecimal character key is impractical, WPA2 includes a function that generates a 256-bit key based on a much shorter passphrase created by the administrator of the Wi-Fi network and the service set identifier (SSID) of the AP used as a salt for the one-way hash function.

In WPA2, the name of the SSID is used for the salt. An easy way to make your Wi-Fi security stronger (and make rainbow table attacks impractical) is to change your SSID to something that isn't common or easily guessed.

To execute an attack on a WPA2 passphrase, an attacker needs to be able to test a large number of passphrase candidates. So, although WPA2 remains cryptographically secure (the key isn't recoverable by simple observation of the traffic, as with WEP), methods do exist to test passphrases offline by gathering the handshake packets between the AP and a legitimate user.

To collect the necessary packets to crack a WPA2 passphrase, an attacker could passively gather traffic when a legitimate user joins the network. This method requires time however, because the attacker does not know when someone will join the network.

Key Terms:

A service set identifier (SSID) is a case-sensitive, 32-character alphanumeric identifier that uniquely identifies a Wi-Fi network.
In cryptography, a salt is randomly generated data that is used as an additional input to a one-way hash function that "hashes" a password or passphrase. The same original text hashed with different salts results in different hash values.
A one-way (hash) function is a mathematical function that creates a unique representation (a hash value) of a larger set of data in a manner that is easy to compute in one direction (input to output), but not in the reverse direction (output to input). The hash function can't recover the original text from the hash value. However, an attacker could attempt to guess what the original text was and see if it produces a matching hash value.
A rainbow table is a pre-computed table used to find the original value of a cryptographic hash function.

For an impatient attacker, the solution is to employ an active attack. As long as a legitimate user is already online, the attacker can force the user's client device to disconnect from the AP with forged de-authentication packets. After getting disconnected, the client device will automatically attempt to reconnect, thus providing the attacker with the handshake packets needed for offline passphrase analysis. Thus, unlike with WEP, attacks on WPA2 can be done without spending a significant amount of time in the proximity of the target network, once the handshake packets have been captured.

Next, the attacker must recover (or find) the passphrase itself, which requires the following:

A test to check millions of potential passphrases until it finds the correct passphrase. To avoid detection, an attacker can't use the actual target, because the victim would be able to see this attack activity. The alternative is to use an offline method of testing that uses the handshake packets.
A methodology to guess passphrases. The worst-case scenario is to "brute force" the passphrase, trying every possible combination of numbers and characters until a correct value is found. This effort can produce a correct result given enough time and computing power. However, it's much faster to take educated guesses without having to resort to brute force. By using educated guesses on possible passphrase candidates, the attacker can attempt a much shorter list.

This basic process for recovering Wi-Fi passphrases is similar to cracking user passwords. In the early days of password cracking, an attacker might have knowledge of a target system's oneway hash function and a list of the system's user password hash values. However, the attacker had no way to decrypt the password, because the original text isn't recoverable from a hash. But by encrypting a list of words with the same one-way hash function (a dictionary attack), an attacker can then compare the resulting hash values with the hash values stored for the various user accounts on the system. So, although the password itself isn't decrypted, a given input that produces a given result, a password match, can be found. With the addition of more computing power, an attacker could try longer word lists and a greater number of variations of each word. The process for attacking WPA2 passphrases is similar.

WPA3 was published in 2018 and introduces security enhancements such as more robust bruteforce attack protection, improved "hotspot" and guest access security, simpler integration with devices that have limited or no user interface (such as IoT devices), and a 192-bit security suite. Newer Wi-Fi routers and client devices will likely support both WPA2 and WPA3 to ensure backward compatibility in mixed environments.

According to the Wi-Fi Alliance, WPA3 features include improved security for IoT devices such as smart bulbs, wireless appliances, smart speakers, and other screen-free gadgets that make everyday tasks easier. The Wi-Fi Alliance hasn't outlined the specific details yet, but WPA3 is expected to support a one-touch setup system that'll make devices without screens (such as IoT devices and smart speakers like Google Home and Amazon Echo) easier to connect. It will be similar to the existing Wi-Fi Protected Setup protocol, which involves pushing a button on the router to connect a device.

According to a recent VentureBeat article, WPA3 also "supports a much stronger encryption algorithm than WPA2… intended for industrial, defense, and government applications rather than homes and offices. Specifically, it includes a 192-bit security suite that's aligned with the Commercial National Security Algorithm (CNSA) Suite, a feature requested by the Committee on National Security Systems (CNSS), a part of the U.S. National Security Agency [NSA]."

WPA3 provides protection against brute-force dictionary attacks by implementing "a robust handshake [called the Dragonfly protocol, also referred to as Simultaneous Authentication of Equals] that isn't vulnerable to wireless exploits like KRACK, and it hardens security at the time when the network key is exchanged between a device and the access point." By limiting the number of network password attempts on a per-user basis, WPA3 also reduces the efficacy of common dictionary attacks.

"WPA3 introduces Opportunistic Wireless Encryption (OWE), or individualized data encryption, which encrypts every connection between a device and the router with a unique key. Even if the access point doesn't require a password, your device's data won't be exposed to the wider network."

Wi-Fi man-in-the-middle attacks

Instead of breaking into a wireless network, an attacker can trick victims into connecting to a wireless network that the attacker controls. These techniques are part of a larger set of attacks known as man-in-the-middle attacks. With a man-in-the-middle exploit in place on a Wi-Fi network, an attacker can serve up practically any content, for example:

If a user attempts to download a legitimate file, the attacker can send mobile malware instead.
When a user attempts to visit a legitimate webpage, the attacker can alter the content to exploit a vulnerability that exists in the device's browser, allowing the attacker to further escalate an attack.
Email addresses and financial account information can be harvested from the connected endpoint, enabling an attacker to create a very targeted and convincing phishing attack to trick even more users on a network into disclosing sensitive information.

Evil Twin

Perhaps the easiest way for an attacker to find a victim to exploit is to set up a wireless access point that serves as a bridge to a real network. An attacker can inevitably bait a few victims with "free Wi-Fi access."

The main problem with this approach is that it requires a potential victim to stumble on the access point and connect. The attacker can't easily target a specific victim because the attack depends on the victim initiating the connection.

A slight variation on this approach is to use a more specific name that mimics a real access point normally found at a particular location — the Evil Twin. For example, if your local airport provides Wi-Fi service and calls it "Airport Wi-Fi," the attacker might create an access point with the same name using an access point that has two radios. Average users cannot easily discern when they are connected to the real access point or a fake one, so this approach would catch a greater number of users than a method that tries to attract victims at random. Still, the user has to select the network so there's a bit of chance involved in trying to reach a particular target.

The main limitation of the Evil Twin attack is that the attacker can't choose the victim. In a crowded location, the attacker will be able to get a large number of people connecting to the wireless network to unknowingly expose their account names and passwords. However, it's not an effective approach if the goal is to target employees in a specific organization.

Jasager

To understand a more targeted approach than the Evil Twin attack, think about what happens when you bring your wireless device back to a location that you've previously visited. For example, when you bring your laptop home, you don't have to choose which access point to use because your device remembers the details of wireless networks to which it has previously connected. The same goes for visiting the office or your favorite coffee shop.

Your mobile device detects when it's within the proximity of a previously known wireless network by sending a beacon out to see if a preferred network is within range. Under normal conditions, when a wireless device sends out a beacon, the nonmatching access points ignore it. The beacon goes unanswered, except when it comes within the proximity of the preferred network.

The Jasager attack takes a more active approach toward beacon requests. Jasager, German for "the Yes man," responds to all beacon requests, thus taking a very permissive approach toward who can connect. The user doesn't have to manually choose the attacker's access point. Instead, the attacker pretends to be whatever access point the user normally connects to (see Figure 1-5). Instead of trying to get victims to connect at random, now the attacker simply needs to be within the proximity of the target.

Figure 1-5: Jasager pretends to be whichever access point is requested by the client's beacon

This process intercepts the communication from laptops, mobile phones, and tablets. Many (if not most) 3G/4G/LTE mobile devices automatically switch to Wi-Fi when they recognize that they are near a network that they know.

An attacker can use the same method to capture WPA2 handshake packets (discussed in Section 1.5.1) to disconnect users from a Wi-Fi network by using forged de-authentication packets. When the users reconnect, they'll unwittingly connect to the modified access point. Unlike the Evil Twin attack, the attacker doesn't have to just wait for a victim to connect to the modified access point; with this approach, everyone that's in the vicinity will automatically connect and become a potential victim.

Jasager runs on any number of devices, but perhaps one of the most effective ways to employ it is with the Pineapple access point. The Pineapple is simply an access point with modified firmware that embeds a number of tools for wireless "penetration" testing. It also has a number of accessories, such as support for cellular USB cards to provide network connectivity when it is otherwise unavailable at the target location, and battery packs to operate as a standalone unit. It's also easily concealed because it can be disguised within any number of housings typically found plugged in at the office.

Once the attacker has the victim connected to a malicious access point, the man-in-the-middle attack can proceed, and the attacker not only can observe and capture network traffic, but also modify it.

SSLstrip

After a user connects to a Wi-Fi network that's been compromised — or to an attacker's Wi-Fi network masquerading as a legitimate network — the attacker can control the content that the victim sees. The attacker simply intercepts the victim's web traffic, redirects the victim's browser to a web server that it controls, and serves up whatever content the attacker desires.

A man-in-the middle attack can be used to steal a victim's online banking or corporate email account credentials. Normally, this type of traffic would be considered safe because the webpage typically uses Secure Sockets Layer (SSL) encryption. Of course, the average user only knows that a padlock somewhere in the address bar means that their browser is secure, correct?

But the padlock appears differently, and in different locations, in different browsers. How does the padlock appear in Internet Explorer? What about Mozilla Firefox, Google Chrome, and Apple Safari? And it appears differently on different smartphones and tablets too. It's no wonder that typical end users — even many security professionals — can be easily tricked.

SSLstrip strips SSL encryption from a "secure" session. When a user connected to a compromised Wi-Fi network attempts to initiate an SSL session, the modified access point intercepts the SSL request (see Figure 1-6). The modified access point then completes the SSL session on behalf of the victim's device. Then, the SSL tunnel between the victim's device and the legitimate secure web server is actually terminated — and decrypted — on the modified access point, thus allowing the attacker to see the victim's credentials, and other sensitive information, in cleartext.

With SSLstrip, the modified access point displays a fake padlock in the victim's web browser. Webpages can display a small icon called a favicon next to a website address in the browser's address bar. SSLstrip replaces the favicon with a padlock that looks like SSL to an unsuspecting user.

Figure 1-6: Man-in-the-middle with SSLstrip

Key Terms:

A favicon ("favorite icon") is a small file containing one or more small icons associated with a particular website or webpage.

Advanced Persistent Threats

Advanced persistent threats (APTs) are a class of threats that are far more deliberate and potentially devastating than other types of cyberattacks. As its name implies, an APT has three defining characteristics. An APT is:

Advanced. Attackers use advanced malware and exploits and typically also have the skills and resources necessary to develop additional cyber-attack tools and techniques, and may have access to sophisticated electronic surveillance equipment, satellite imagery, and even human intelligence assets.
Persistent. An APT may take place over a period of several years. The attackers pursue specific objectives and use a "low-and-slow" approach to avoid detection. The attackers are well organized and typically have access to substantial financial backing, such as a nation-state or organized criminal organization, to fund their activities.
Threat. An APT is deliberate and focused, rather than opportunistic. APTs are designed to cause real damage including significant financial loss, destruction of systems and infrastructure, or physical harm and loss of life.

Recent examples of APT campaigns include:

MONSOON. Monsoon is an APT campaign that appears to have begun in December 2015. According to Forcepoint Security Labs, "The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia." As of July 2016, more than 110 different victim countries and 6,300 victim IP addresses had been identified. "The malware components used in MONSOON are typically distributed through [weaponized] documents sent through email to specifically chosen targets. Themes of these documents are usually political in nature and taken from recent publications on topical current affairs. Several malware components have been used in this operation including Unknown Logger Public, TINYTYPHON, BADNEWS, and an AutoIt [3] back door."
1937CN. In 2017, FortiGuard Labs discovered several malicious documents that exploited the CVE-2012-0158 buffer overflow vulnerability (ListView/TreeView ActiveX controls in the MSCOMCTL.OCX library). "It was believed… that the hacking campaign where these documents were used was led by the Chinese hacking group 1937CN. The link to the group was found through malicious domains used as command-and-control servers by the attacker…. Similar to other APT attacks, such as MONSOON APT, this APT uses DLL hijacking to evade [Host Intrusion Prevention Systems, or HIPS]."
Scarlet Mimic. The Scarlet Mimic attacks began in 2011. Their targeting pattern suggests that this adversary's primary mission is to gather information about minority rights activists. Although there is no evidence directly linking these attacks to a government source, the information derived from their activities supports an assessment that a group (or groups) with motivations similar to the stated position of the Chinese government in relation to Uyghur and Tibetan activists, and those who are interested in their causes, is involved. "The Scarlet Mimic attacks primarily center around the use of a Windows back door named "FakeM." It was first described by Trend Micro in 2013 and was named FakeM because its primary command-and-control traffic mimicked Windows Messenger and Yahoo! Messenger network traffic to evade detection." Scarlet Mimic has also "deployed Trojans that target the Mac OS X and Android operating systems."
Lazarus. The Lazarus APT group is a threat actor linked to North Korea and believed to be behind attacks targeting U.S. defense contractors and other worldwide attack campaigns, including the Bangladesh cyber heist (US$81 million was surreptitiously transferred from the New York Federal Reserve Bank account of Bangladesh in February 2016), the Troy Operation (attacks against South Korean infrastructure in 2013), the DarkSeoul Operation (malware-based attacks that wiped tens of thousands of hard drives belonging to South Korean television networks and banks in March 2013), and the Sony Picture hack (employees' emails and personal information including salaries, addresses, and Social Security numbers revealed, unreleased movies posted on file sharing sites, and internal computer systems shut down in 2014).

Glossary

access point (AP): See wireless access point (AP).
Address Resolution Protocol (ARP): A protocol that translates a logical address, such as an IP address, to a physical MAC address. The Reverse Address Resolution Protocol (RARP) translates a physical MAC address to a logical address. See also IP address, media access control (MAC) address, and Reverse Address Resolution Protocol (RARP).
Advanced Encryption Standard (AES): A symmetric block cipher based on the Rijndael cipher.
AES: See Advanced Encryption Standard (AES).
AP: See wireless access point (AP).
API: See application programming interface (API).
application programming interface (API): A set of routines, protocols, and tools for building software applications and integrations.
application whitelisting: A technique used to prevent unauthorized applications from running on an endpoint. Authorized applications are manually added to a list that is maintained on the endpoint. If an application is not on the whitelist, it cannot run on the endpoint. However, if it is on the whitelist the application can run, regardless of whether vulnerabilities or exploits are present within the application.
ARP: See Address Resolution Protocol (ARP).
AS: See autonomous system (AS).
attack vector: A path or tool that an attacker uses to target a network.
authoritative DNS server: The system of record for a given domain. See also Domain Name System (DNS).
autonomous system (AS): A group of contiguous IP address ranges under the control of a single internet entity. Individual autonomous systems are assigned a 16-bit or 32-bit AS number (ASN) that uniquely identifies the network on the internet. ASNs are assigned by the Internet Assigned Numbers Authority (IANA). See also Internet Protocol (IP) address and Internet Assigned Numbers Authority (IANA).
bare metal hypervisor: See native hypervisor.
BES: See bulk electric system (BES).
boot sector: Contains machine code that is loaded into an endpoint's memory by firmware during the startup process, before the operating system is loaded.
boot sector virus: Targets the boot sector or master boot record (MBR) of an endpoint's storage drive or other removable storage media. See also boot sector and master boot record (MBR).
bot: Individual endpoints that are infected with advanced malware that enables an attacker to take control of the compromised endpoint. Also known as a zombie. See also botnet and malware.
botnet: A network of bots (often tens of thousands or more) working together under the control of attackers using numerous command-and-control (C&C) servers. See also bot.
bridge: A wired or wireless network device that extends a network or joins separate network segments.
bring your own apps (BYOA): Closely related to BYOD, BYOA is a policy trend in which organizations permit end users to download, install, and use their own personal apps on mobile devices, primarily smartphones and tablets, for work-related purposes. See also bring your own device (BYOD).
bring your own device (BYOD): A policy trend in which organizations permit end users to use their own personal devices, primarily smartphones and tablets, for work-related purposes. BYOD relieves organizations from the cost of providing equipment to employees, but creates a management challenge because of the vast number and type of devices that must be supported. See also bring your own apps (BYOA).
broadband cable: A type of high-speed internet access that delivers different upload and download data speeds over a shared network medium. The overall speed varies depending on the network traffic load from all the subscribers on the network segment.
broadcast domain: The portion of a network that receives broadcast packets sent from a node in the domain.
bulk electric system (BES): The large interconnected electrical system, consisting of generation and transmission facilities (among others), that comprises the "power grid."
bus (or linear bus) topology: A LAN topology in which all nodes are connected to a single cable (the backbone) that is terminated on both ends. In the past, bus networks were commonly used for very small networks because they were inexpensive and relatively easy to install, but today bus topologies are rarely used. The cable media has physical limitations (the cable length), the backbone is a single point of failure (a break anywhere on the network affects the entire network), and tracing of a fault in a large network can be extremely difficult. See also local-area network (LAN).
BYOA: See bring your own apps (BYOA). BYOD: See bring your own device (BYOD).
child process: In multitasking operating systems, a subprocess created by a parent process that is currently running on the system.
CIDR: See classless inter-domain routing (CIDR).
CIP: See Critical Infrastructure Protection (CIP).
circuit-switched network: A network in which a dedicated physical circuit path is established, maintained, and terminated between the sender and receiver across a network for each communications session.
classless inter-domain routing (CIDR): A method for allocating IP addresses and IP routing that replaces classful IP addressing (for example, Class A, B, and C networks) with classless IP addressing. See also Internet Protocol (IP) address.
collision domain: A network segment on which data packets may collide with each other during transmission.
consumerization: A computing trend that describes the process that occurs as end users increasingly find personal technology and apps that are more powerful or capable, more convenient, less expensive, quicker to install, and easier to use, than enterprise IT solutions.
convergence: The time required for all routers in a network to update their routing tables with the most current routing information about the network.
covered entity: Defined by HIPAA as a healthcare provider that electronically transmits PHI (such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies), a health plan (such as a health insurance company, health maintenance organization, company health plan, or government program including Medicare, Medicaid, military and veterans' healthcare), or a healthcare clearinghouse. See also Health Insurance Portability and Accountability Act (HIPAA) and protected health information (PHI).
CRC: See cyclic redundancy check (CRC).
Critical Infrastructure Protection (CIP): Cybersecurity standards defined by NERC to protect the physical and cyber assets necessary to operate the bulk electric system (BES). See also bulk electric system (BES) and North American Electric Reliability Corporation (NERC).
Cybersecurity Enhancement Act of 2014: A U.S. regulation that provides an ongoing, voluntary public-private partnership to improve cybersecurity and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness.
Cybersecurity Information Sharing Act (CISA): A U.S. regulation that enhances information sharing about cybersecurity threats by allowing internet traffic information to be shared between the U.S. government and technology and manufacturing companies.
cyclic redundancy check (CRC): A checksum used to create a message profile. The CRC is recalculated by the receiving device. If the recalculated CRC doesn't match the received CRC, the packet is dropped and a request to resend the packet is transmitted back to the device that sent the packet.
data encapsulation: A process in which protocol information from the OSI or TCP/IP layer immediately above is wrapped in the data section of the OSI or TCP/IP layer immediately below. Also referred to as data hiding. See also Open Systems Interconnection (OSI) reference model and Transmission Control Protocol/Internet Protocol (TCP/IP) model. data hiding: See data encapsulation.
DDOS: See distributed denial-of-service (DDOS).
default gateway: A network device, such as a router or switch, to which an endpoint sends network traffic when a specific destination IP address is not specified by an application or service, or when the endpoint does not know how to reach a specified destination. See also router and switch.
DevOps: The culture and practice of improved collaboration between application development and IT operations teams.
DHCP: See Dynamic Host Configuration Protocol (DHCP).
digital subscriber line (DSL): A type of high-speed internet access that delivers different upload and download data speeds. The overall speed depends on the distance from the home or business location to the provider's central office (CO).
distributed denial-of-service (DDOS): A type of cyberattack in which extremely high volumes of network traffic such as packets, data, or transactions are sent to the target victim's network to make their network and systems (such as an e-commerce website or other web application) unavailable or unusable.
DLL: See dynamic-link library (DLL).
DNS: See Domain Name System (DNS).
domain name registrar: An organization that is accredited by a top-level domain (TLD) registry to manage domain name registrations. See also top-level domain (TLD).
Domain Name System (DNS): A hierarchical distributed database that maps the fully qualified domain name (FQDN) for computers, services, or any resource connected to the internet or a private network to an IP address. See also fully qualified domain name (FQDN).
drive-by-download: A software download, typically malware, that happens without a user's knowledge or permission.
DSL: See digital subscriber line (DSL).
Dynamic Host Configuration Protocol (DHCP): A network management protocol that dynamically assigns (leases) IP addresses and other network configuration parameters (such as default gateway and Domain Name System [DNS] information) to devices on a network. See also default gateway and Domain Name System (DNS).
dynamic-link library (DLL): A type of file used in Microsoft operating systems that enables multiple programs to simultaneously share programming instructions contained in a single file to perform specific functions.
EAP: See Extensible Authentication Protocol (EAP).
EAP-TLS: See Extensible Authentication Protocol Transport Layer Security (EAP-TLS).
EHR: See electronic health record (EHR).
electronic health record (EHR): As defined by HealthIT.gov, an EHR "goes beyond the data collected in the provider's office and include[s] a more comprehensive patient history. EHR data can be created, managed, and consulted by authorized providers and staff from across more than one healthcare organization."
electronic medical record (EMR): As defined by HealthIT.gov, an EMR "contains the standard medical and clinical data gathered in one provider's office."
EMR: See electronic medical record (EMR).
endpoint: A computing device such as a desktop or laptop computer, handheld scanner, pointof-sale (POS) terminal, printer, satellite radio, security or videoconferencing camera, selfservice kiosk, server, smart meter, smart TV, smartphone, tablet, or Voice over Internet Protocol (VoIP) phone. Although endpoints can include servers and network equipment, the term is generally used to describe end user devices.
Enterprise 2.0: A term introduced by Andrew McAfee and defined as "the use of emergent social software platforms within companies, or between companies and their partners or customers." See also Web 2.0.
exclusive or (XOR): A Boolean operator in which the output is true only when the inputs are different (for example, TRUE and TRUE equals FALSE, but TRUE and FALSE equals TRUE).
exploit: A small piece of software code, part of a malformed data file, or a sequence (string) of commands, that leverages a vulnerability in a system or software, causing unintended or unanticipated behavior in the system or software.
Extensible Authentication Protocol (EAP): A widely used authentication framework that includes about 40 different authentication methods.
Extensible Authentication Protocol Transport Layer Security (EAP-TLS): An Internet Engineering Task Force (IETF) open standard that uses the Transport Layer Security (TLS) protocol in Wi-Fi networks and PPP connections. See also Internet Engineering Task Force (IETF), point-to-point protocol (PPP), and Transport Layer Security (TLS).
Extensible Markup Language (XML): A programming language specification that defines a set of rules for encoding documents in a human-readable and machine-readable format.
false negative: In anti-malware, malware that is incorrectly identified as a legitimate file or application. In intrusion detection, a threat that is incorrectly identified as legitimate traffic. See also false positive.
false positive: In anti-malware, a legitimate file or application that is incorrectly identified as malware. In intrusion detection, legitimate traffic that is incorrectly identified as a threat. See also false negative.
favicon ("favorite icon"): A small file containing one or more small icons associated with a particular website or webpage.
Federal Exchange Data Breach Notification Act of 2015: A U.S. regulation that further strengthens HIPAA by requiring health insurance exchanges to notify individuals whose personal information has been compromised as the result of a data breach as soon as possible, but no later than 60 days after breach discovery. See also Health Insurance Portability and Accountability Act (HIPAA).
Federal Information Security Management Act (FISMA): See Federal Information Security Modernization Act (FISMA).
Federal Information Security Modernization Act (FISMA): A U.S. law that implements a comprehensive framework to protect information systems used in U.S. federal government agencies. Known as the Federal Information Security Management Act prior to 2014.
fiber optic: Technology that converts electrical data signals to light and delivers constant data speeds in the upload and download directions over a dedicated fiber optic cable medium. Fiber optic technology is much faster and more secure than other types of network technology.
Financial Services Modernization Act of 1999: See Gramm-Leach-Bliley Act (GLBA).
FISMA: See Federal Information Security Modernization Act (FISMA).
floppy disk: A removable magnetic storage medium commonly used from the mid-1970s until about 2007, when it was largely replaced by removable USB storage devices.
flow control: A technique used to monitor the flow of data between devices to ensure that a receiving device, which may not necessarily be operating at the same speed as the transmitting device, doesn't drop packets.
fully qualified domain name (FQDN): The complete domain name for a specific computer, service, or resource connected to the internet or a private network.
GDPR: See General Data Protection Regulation (GDPR).
General Data Protection Regulation (GDPR): A European Union (EU) regulation that applies to any organization that does business with EU citizens. It strengthens data protection for EU citizens and addresses the export of personal data outside the EU.
Generic Routing Encapsulation (GRE): A tunneling protocol developed by Cisco Systems that can encapsulate various network layer protocols inside virtual point-to-point links.
GLBA: See Gramm-Leach-Bliley Act (GLBA).
Gramm-Leach-Bliley Act (GLBA): A U.S. law that requires financial institutions to implement privacy and information security policies to safeguard the non-public personal information of clients and consumers. Also known as the Financial Services Modernization Act of 1999.
GRE: See Generic Routing Encapsulation (GRE).
hacker: Term originally used to refer to anyone with highly specialized computing skills, without connoting good or bad purposes. However, common misuse of the term has redefined a hacker as someone that circumvents computer security with malicious intent, such as a cybercriminal, cyberterrorist, or hacktivist.
hash signature: A cryptographic representation of an entire file or program's source code.
Health Insurance Portability and Accountability Act (HIPAA): A U.S. law that defines data privacy and security requirements to protect individuals' medical records and other personal health information. See also covered entity and protected health information (PHI).
heap spray: A technique used to facilitate arbitrary code execution by injecting a certain sequence of bytes into the memory of a target process.
hextet: A group of four 4-bit hexadecimal digits in a 128-bit IPv6 address. See also Internet Protocol (IP) address.
high-order bits: The first four bits in a 32-bit IPv4 address octet. See also Internet Protocol (IP) address, octet, and low-order bits.
HIPAA: See Health Insurance Portability and Accountability Act (HIPAA).
hop count: The number of router nodes that a packet must pass through to reach its destination.
hosted hypervisor: A hypervisor that runs within an operating system environment. Also known as a Type 2 hypervisor. See also hypervisor and native hypervisor.
HTTP: See Hypertext Transfer Protocol (HTTP). HTTPS: See Hypertext Transfer Protocol Secure (HTTPS).
hub (or concentrator): A device used to connect multiple networked devices together on a local-area network (LAN).
Hypertext Transfer Protocol (HTTP): An application protocol used to transfer data between web servers and web browsers.
Hypertext Transfer Protocol Secure (HTTPS): A secure version of HTTP that uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption. See also Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
hypervisor: Technology that allows multiple, virtual (or guest) operating systems to run concurrently on a single physical host computer.
IaaS: See infrastructure as a service (IaaS).
IANA: See Internet Assigned Numbers Authority (IANA).
IETF: See Internet Engineering Task Force (IETF).
indicator of compromise (IoC): A network or operating system (OS) artifact that provides a high level of confidence that a computer security incident has occurred.
infrastructure as a service (IaaS). A cloud computing service model in which customers can provision processing, storage, networks, and other computing resources and deploy and run operating systems and applications. However, the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer has control over operating systems, storage, and deployed applications, and some networking components (for example, host firewalls). The company owns the deployed applications and data, and it is therefore responsible for the security of those applications and data.
initialization vector (IV): A random number used only once in a session, in conjunction with an encryption key, to protect data confidentiality. Also known as a nonce.
inodes: A data structure used to store information about files and directories in a file-based storage system, but not the filenames or data content itself.
Internet Assigned Numbers Authority (IANA): A private, nonprofit U.S. corporation that oversees global IP address allocation, autonomous system (AS) number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocolrelated symbols and internet numbers. See also autonomous system (AS) and Domain Name System (DNS).
Internet Engineering Task Force (IETF): An open international community of network designers, operators, vendors, and researchers concerned with the evolution of the internet architecture and the smooth operation of the internet.
Internet Protocol (IP) address: A 32-bit or 128-bit identifier assigned to a networked device for communications at the Network layer of the OSI model or the Internet layer of the TCP/IP model. See also Open Systems Interconnection (OSI) reference model and Transmission Control Protocol/Internet Protocol (TCP/IP) model.
intranet: A private network that provides information and resources – such as a company directory, human resources policies and forms, department or team files, and other internal information – to an organization's users. Like the internet, an intranet uses the HTTP and/or HTTPS protocols, but access to an intranet is typically restricted to an organization's internal users. Microsoft SharePoint is a popular example of intranet software. See also Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS).
IoC: See indicator of compromise (IoC).
IP address: See Internet Protocol (IP) address.
IP telephony: See Voice over Internet Protocol (VoIP).
IV: See initialization vector (IV).
jailbreaking: Hacking an Apple iOS device to gain root-level access to the device. This hacking is sometimes done by end users to allow them to download and install mobile apps without paying for them, from sources, other than the App Store, that are not sanctioned and/or controlled by Apple. Jailbreaking bypasses the security features of the device by replacing the firmware's operating system with a similar, albeit counterfeit version, which makes the device vulnerable to malware and exploits. See also rooting.
Kerberos: A ticket-based authentication protocol in which "tickets" are used to identify network users.
LAN: See local-area network (LAN).
least privilege: A network security principle in which only the permission or access rights necessary to perform an authorized task are granted.
least significant bit: The last bit in a 32-bit IPv4 address octet. See also Internet Protocol (IP) address, octet, and most significant bit. linear bus topology: See bus topology.
local-area network (LAN): A computer network that connects laptop and desktop computers, servers, printers, and other devices so that applications, databases, files and file storage, and other networked resources can be shared across a relatively small geographic area such as a floor, a building, or a group of buildings.
low-order bits: The last four bits in a 32-bit IPv4 address octet. See also Internet Protocol (IP) address, octet, and high-order bits.
MAC address: See media access control (MAC) address.
malware: Malicious software or code that typically damages, takes control of, or collects information from an infected endpoint. Malware broadly includes viruses, worms, Trojan horses (including Remote Access Trojans, or RATs), anti-AV, logic bombs, back doors, rootkits, bootkits, spyware, and (to a lesser extent) adware.
master boot record (MBR): The first sector on a computer hard drive, containing information about how the logical partitions (or file systems) are organized on the storage media, and an executable boot loader that starts up the installed operating system.
MBR: See master boot record (MBR).
media access control (MAC) address: A unique 48-bit or 64-bit identifier assigned to a network interface controller (NIC) for communications at the Data Link layer of the OSI model. See also Open Systems Interconnection (OSI) reference model.
metamorphism: A programming technique used to alter malware code with every iteration, to avoid detection by signature-based anti-malware software. Although the malware payload changes with each iteration – for example, by using a different code structure or sequence, or inserting garbage code to change the file size – the fundamental behavior of the malware payload remains unchanged. Metamorphism uses more advanced techniques than polymorphism. See also polymorphism.
Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP): A protocol used to authenticate Microsoft Windows-based workstations using a challenge-response mechanism to authenticate PPTP connections without sending passwords. See also point-to-point tunneling protocol (PPTP).
most significant bit: The first bit in a 32-bit IPv4 address octet. See also Internet Protocol (IP) address, octet, and least significant bit.
MS-CHAP: See Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP).
mutex: A program object that allows multiple program threads to share the same resource, such as file access, but not simultaneously.
NAT: See network address translation (NAT).
National Cybersecurity Protection Advancement Act of 2015: A U.S. regulation that amends the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthens privacy and civil liberties protections.
native hypervisor: A hypervisor that runs directly on the host computer hardware. Also known as a Type 1 or bare metal hypervisor. See also hypervisor and hosted hypervisor.
NERC: See North American Electric Reliability Corporation (NERC).
network address translation (NAT): A technique used to virtualize IP addresses by mapping private, non-routable IP addresses assigned to internal network devices to public IP addresses.
Network and Information Security (NIS) Directive: A European Union (EU) directive that imposes network and information security requirements for banks, energy companies, healthcare providers and digital service providers, among others. NIS Directive: See Network and Information Security (NIS) Directive. nonce: See initialization vector (IV).
North American Electric Reliability Corporation (NERC): A not-for-profit international regulatory authority responsible for assuring the reliability of the bulk electric system (BES) in the continental United States, Canada, and the northern portion of Baja California, Mexico. See also bulk electric system (BES) and Critical Infrastructure Protection (CIP).
obfuscation: A programming technique used to render code unreadable. It can be implemented using a simple substitution cipher, such as an exclusive or (XOR) operation, or more sophisticated encryption algorithms, such as the Advanced Encryption Standard (AES). See also Advanced Encryption Standard (AES), exclusive or (XOR), and packer.
octet: A group of 8 bits in a 32-bit IPv4 address. See Internet Protocol (IP) address.
one-way (hash) function: A mathematical function that creates a unique representation (a hash value) of a larger set of data in a manner that is easy to compute in one direction (input to output), but not in the reverse direction (output to input). The hash function can't recover the original text from the hash value. However, an attacker could attempt to guess what the original text was and see if it produces a matching hash value.
Open Systems Interconnection (OSI) reference model: A seven-layer networking model consisting of the Application (Layer 7 or L7), Presentation (Layer 6 or L6), Session (Layer 5 or L5), Transport (Layer 4 or L4), Network (Layer 3 or L3), Data Link (Layer 2 or L2), and Physical
(Layer 1 or L1) layers. Defines standard protocols for communication and interoperability using a layered approach in which data is passed from the highest layer (application) downward through each layer to the lowest layer (physical), then transmitted across the network to its destination, then passed upward from the lowest layer to the highest layer. See also data encapsulation.
optical carrier: A standard specification for the transmission bandwidth of digital signals on Synchronous Optical Networking (SONET) fiber optic networks. Optical carrier transmission rates are designated by the integer value of the multiple of the base rate (51.84Mbps). For example, OC-3 designates a 155.52Mbps (3 x 51.84) network and OC-192 designates a 9953.28Mbps (192 x 51.84) network.
OSI model: See Open Systems Interconnection (OSI) reference model.
PaaS: See platform as a service (PaaS).
packer: A software tool that can be used to obfuscate code by compressing a malware program for delivery, then decompressing it in memory at run time. See also obfuscation.
packet capture (pcap): A traffic intercept of data packets that can be used for analysis.
packet-switched network: A network in which devices share bandwidth on communications links to transport packets between a sender and receiver across a network.
PAP: See Password Authentication Protocol (PAP).
Password Authentication Protocol (PAP): An authentication protocol used by PPP to validate users with an unencrypted password. See also point-to-point protocol (PPP).
Payment Card Industry Data Security Standards (PCI DSS): A proprietary information security standard mandated and administered by the PCI Security Standards Council (SSC), and applicable to any organization that transmits, processes, or stores payment card (such as debit and credit cards) information. See also PCI Security Standards Council (SSC). pcap: See packet capture (pcap).
PCI: See Payment Card Industry Data Security Standards (PCI DSS).
PCI DSS: See Payment Card Industry Data Security Standards (PCI DSS).
PCI Security Standards Council (SSC): A group comprising Visa, MasterCard, American Express, Discover, and JCB that maintains, evolves, and promotes PCI DSS. See also Payment Card Industry Data Security Standards (PCI DSS).
PDU: See protocol data unit (PDU).
Personal Information Protection and Electronic Documents Act (PIPEDA): A Canadian privacy law that defines individual rights with respect to the privacy of their personal information, and governs how private sector organizations collect, use, and disclose personal information in the course of business.
Personally Identifiable Information (PII): Defined by the U.S. National Institute of Standards and Technology (NIST) as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity… and (2) any other information that is linked or linkable to an individual…."
pharming: A type of attack that redirects a legitimate website's traffic to a fake site.
PHI: See protected health information (PHI).
PII: See Personally Identifiable Information (PII).
PIPEDA: See Personal Information Protection and Electronic Documents Act (PIPEDA).
PKI: See public key infrastructure (PKI).
platform as a service (PaaS): A cloud computing service model in which customers can deploy supported applications onto the provider's cloud infrastructure, but the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer has control over the deployed applications and limited configuration settings for the application-hosting environment. The company owns the deployed applications and data, and it is therefore responsible for the security of those applications and data.
PoE: See power over Ethernet (PoE).
point-to-point protocol (PPP): A Layer 2 (Data Link) protocol layer used to establish a direct connection between two nodes.
point-to-point tunneling protocol (PPTP): An obsolete method for implementing virtual private networks, with many known security issues, that uses a TCP control channel and a GRE tunnel to encapsulate PPP packets. See also Transmission Control Protocol (TCP), Generic Routing Encapsulation (GRE), and point-to-point protocol (PPP).
polymorphism: A programming technique used to alter a part of malware code with every iteration, to avoid detection by signature-based anti-malware software. For example, an encryption key or decryption routine may change with every iteration, but the malware payload remains unchanged. See also metamorphism.
power over Ethernet (PoE): A network standard that provides electrical power to certain network devices over Ethernet cables.
PPP: See point-to-point protocol (PPP).
PPTP: See point-to-point tunneling protocol (PPTP).
pre-shared key (PSK): A shared secret, used in symmetric key cryptography that has been exchanged between two parties communicating over an encrypted channel.
promiscuous mode: Refers to Ethernet hardware used in computer networking, typically a network interface card (NIC), that receives all traffic on a network segment, even if the traffic is not addressed to the hardware.
protected health information (PHI): Defined by HIPAA as information about an individual's health status, provision of healthcare, or payment for healthcare that includes identifiers such as names, geographic identifiers (smaller than a state), dates, phone and fax numbers, email addresses, Social Security numbers, medical record numbers, or photographs. See also Health Insurance Portability and Accountability Act (HIPAA).
protocol data unit (PDU): A self-contained unit of data (consisting of user data or control information and network addressing).
PSK: See pre-shared key (PSK).
public key infrastructure (PKI): A set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public key encryption.
QoS: See Quality of Service (QoS).
Quality of Service (QoS): The overall performance of specific applications or services on a network including error rate, bit rate, throughput, transmission delay, availability, jitter, etc. QoS policies can be configured on certain network and security devices to prioritize certain traffic, such as voice or video, over other, less performance-intensive traffic, such as file transfers.
RADIUS: See Remote Authentication Dial-In User Service (RADIUS).
rainbow table: A pre-computed table used to find the original value of a cryptographic hash function.
RARP: See Reverse Address Resolution Protocol (RARP).
recursive DNS query: A DNS query that is performed (if the DNS server allows recursive queries) when a DNS server is not authoritative for a destination domain. The non-authoritative DNS server obtains the IP address of the authoritative DNS server for the destination domain and sends the original DNS request to that server to be resolved. See also Domain Name System (DNS) and authoritative DNS server.
Remote Authentication Dial-In User Service (RADIUS): A client-server protocol and software that enables remote access servers to communicate with a central server to authenticate users and authorize access to a system or service.
remote procedure call (RPC): An inter-process communication (IPC) protocol that enables an application to be run on a different computer or network, rather than on the local computer on which it is installed.
repeater: A network device that boosts or retransmits a signal to physically extend the range of a wired or wireless network.
representational state transfer (REST): An architectural programming style that typically runs over HTTP, and is commonly used for mobile apps, social networking websites, and mashup tools. See also Hypertext Transfer Protocol (HTTP).
REST: See representational state transfer (REST).
Reverse Address Resolution Protocol (RARP): A protocol that translates a physical MAC address to a logical address. See also media access control (MAC) address.
ring topology: A LAN topology in which all nodes are connected in a closed loop that forms a continuous ring. In a ring topology, all communication travels in a single direction around the ring. Ring topologies were common in token ring networks. See also local-area network (LAN).
rooting: The Google Android equivalent of jailbreaking. See jailbreaking.
router: A network device that sends data packets to a destination network along a network path.
RPC: See remote procedure call (RPC).
SaaS: See software as a service (SaaS).
salt: Randomly generated data that is used as an additional input to a one-way hash function that hashes a password or passphrase. The same original text hashed with different salts results in different hash values.
Sarbanes-Oxley (SOX) Act: A U.S. law that increases financial governance and accountability in publicly traded companies.
script kiddie: Someone with limited hacking and/or programming skills that uses malicious programs (malware) written by others to attack a computer or network.
Secure Sockets Layer (SSL): A cryptographic protocol for managing authentication and encrypted communication between a client and server to protect the confidentiality and integrity of data exchanged in the session.
service set identifier (SSID): A case sensitive, 32-character alphanumeric identifier that uniquely identifies a Wi-Fi network.
software as a service (SaaS): A cloud computing service model, defined by the U.S. National Institute of Standards and Technology (NIST), in which "the capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser, or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings."
SONET: See Synchronous Optical Networking (SONET).
SOX: See Sarbanes-Oxley (SOX) Act.
spear phishing: A highly targeted phishing attack that uses specific information about the target to make the phishing attempt appear legitimate.
SSID: See service set identifier (SSID).
SSL: See Secure Sockets Layer (SSL).
STIX: See Structured Threat Information Expression (STIX).
Structured Threat Information Expression (STIX): An XML format for conveying data about cybersecurity threats in a standardized format. See also Extensible Markup Language (XML). subnet mask: A number that hides the network portion of an IPv4 address, leaving only the host portion of the IP address. See also Internet Protocol (IP) address. subnetting: A technique used to divide a large network into smaller, multiple subnetworks.
supernetting: A technique used to aggregate multiple contiguous smaller networks into a larger network to enable more efficient internet routing.
switch: An intelligent hub that forwards data packets only to the port associated with the destination device on a network.
Synchronous Optical Networking (SONET): A protocol that transfer multiple digital bit streams synchronously over optical fiber.
T-carrier: A full-duplex digital transmission system that uses multiple pairs of copper wire to transmit electrical signals over a network. For example, a T-1 circuit consists of two pairs of copper wire – one pair transmits, the other pair receives – that are multiplexed to provide a total of 24 channels, each delivering 64Kbps of data, for a total bandwidth of 1.544Mbps.
TCP: See Transmission Control Protocol (TCP).
TCP segment: A protocol data unit (PDU) defined at the Transport layer of the OSI model. See also protocol data unit (PDU) and Open Systems Interconnection (OSI) reference model.
three-way handshake: A sequence used to establish a TCP connection. For example, a PC initiates a connection with a server by sending a TCP SYN (Synchronize) packet. The server replies with a SYN ACK packet (Synchronize Acknowledgment). Finally, the PC sends an ACK or SYN-ACK-ACK packet, acknowledging the server's acknowledgement, and data communication commences. See also Transmission Control Protocol (TCP).
TCP/IP model: See Transmission Control Protocol/Internet Protocol (TCP/IP) model.
threat vector: See attack vector.
TLD: See top-level domain (TLD). TLS: See Transport Layer Security (TLS).
top-level domain (TLD): The highest level domain in DNS, represented by the last part of a FQDN (for example, .com or .edu). The most commonly used TLDs are generic top-level domains (gTLD) such as .com, edu, .net, and .org, and country-code top-level domains (ccTLD) such as .ca and .us.
Tor ("The Onion Router"): Software that enables anonymous communication over the internet.
Transmission Control Protocol (TCP): A connection-oriented (a direct connection between network devices is established before data segments are transferred) protocol that provides reliable delivery (received segments are acknowledged and retransmission of missing or corrupted segments is requested) of data.
Transmission Control Protocol/Internet Protocol (TCP/IP) model: A four-layer networking model consisting of the Application (Layer 4 or L4), Transport (Layer 3 or L3), Internet (Layer 2 or L2), and Network Access (Layer 1 or L1) layers.
Transport Layer Security (TLS): The successor to SSL (although it is still commonly referred to as SSL). See also Secure Sockets Layer (SSL).
Type 1 hypervisor: See native hypervisor.
Type 2 hypervisor: See hosted hypervisor.
UDP: See user datagram protocol (UDP).
UDP datagram: A protocol data unit (PDU) defined at the Transport layer of the OSI model. See also user datagram protocol (UDP) and Open Systems Interconnection (OSI) reference model.
uniform resource locator (URL): A unique reference (or address) to an internet resource, such as a webpage.
URL: See uniform resource locator (URL).
user datagram protocol (UDP): A connectionless (a direct connection between network devices is not established before datagrams are transferred) protocol that provides best-effort delivery (received datagrams are not acknowledged and missing or corrupted datagrams are not requested) of data.
variable-length subnet masking (VLSM): A technique that enables IP address spaces to be divided into different sizes. See also Internet Protocol (IP) address. virtual LAN (VLAN): A logical network that is created within a physical local-area network.
VLAN: See virtual LAN (VLAN).
VLSM: See variable-length subnet masking (VLSM).
Voice over Internet Protocol (VoIP): Technology that provides voice communication over an Internet Protocol (IP)-based network. Also known as IP telephony.
VoIP: See Voice over Internet Protocol (VoIP).
vulnerability: A bug or flaw that exists in a system or software and creates a security risk.
WAN: See wide-area network (WAN).
watering hole: An attack that compromises websites that are likely to be visited by a targeted victim to deliver malware via a drive-by-download. See also drive-by-download.
Web 2.0: A term popularized by Tim O'Reilly and Dale Dougherty unofficially referring to a new era of the World Wide Web, which is characterized by dynamic or user-generated content, interaction, and collaboration, and the growth of social media. See also Enterprise 2.0.
whaling: A type of spear phishing attack that is specifically directed at senior executives or other high-profile targets within an organization. See also spear phishing.
wide-area network (WAN): A computer network that connects multiple LANs or other WANs across a relatively large geographic area, such as a small city, a region or country, a global enterprise network, or the entire planet (for example, the internet). See also local-area network (LAN).
wireless access point (AP): A network device that connects to a router or wired network and transmits a Wi-Fi signal so that wireless devices can connect to a wireless (or Wi-Fi) network.
wireless repeater: A device that rebroadcasts the wireless signal from a wireless router or AP to extend the range of a Wi-Fi network.
XML: See Extensible Markup Language (XML).
XOR: See exclusive or (XOR).
zero-day threat: The window of vulnerability that exists from the time a new (unknown) threat is released until security vendors release a signature file or security patch for the threat.
zombie: See bot.