# Introduction to Cybersecurity

Risk can only be reduced, not removed 

The design principle of cybersecurity is to reduce the number of administrative personnel to be as few as possible. This reduces the amount of entry points and attack vectors into a system

Security solutions must answer the following key questions: 

- what dictates when there is a real security problem?
- what separates true threats from false positives? 
- how do you know?
- when do you know a threat is real?

# Incidents, Trojans, Worms, and Attacks

Red teams only need to find a single way through defensive measures, whereas blue teams must protect all possible vectors

There are two types of attacks:

- **brute force**: guessing
- **heuristic**: relies on cleverness to find vulnerabilities. Expensive and time consuming, but if done right extremely powerful

There are four types of attackers:

- hackers (white hat, black hat, gray hat)
- cyber criminals
- cyber terrorists
- nation states

Attacks may originate from anywhere in the world but must be protected against by a local asset owner

There are five types of defenders:

- individual users protecting their own data
- enterprise security teams
- cybersecurity technology vendors
- government and regulatory bodies
- cyber military and intelligence organizations

## Worms

**Worm**: self-propagating virus commonly distributed via phishing. Typically follows these general steps: 

1. find target
2. put worm there
3. run worm
4. repeat

## Trojans

There exist vulnerabilities between different stages of software operation (compiling, assembling etc.)

Unless you directly wrote the source code, compiler, and assembler yourself, **you can't trust software**

Trojans and back doors that are inserted at the compiler stage are immune to code reviews, meaning that **looking at source code proves nothing**

### Mitigating Software Trojans

There are two approaches to dealing with these threats

The first represents standard industrial risk mitigation strategies and consists of the following steps:

1. review vendor software development processes
2. inspect vendor hardware and software
3. specify vendor integrity requirements in contracts
4. monitor the community for evidence of vendor issues
5. proxy outbound communications to unknown software

Alternatively, the government approach requires greater overhead but is a more thorough process:

1. use social engineered expose backdoor access
   1. ex: call vendor in distress, begging for assisted access to the procured system
2. comparatively analyze multiple instances of vendor product 
   1. ex: purchase some product in critical and non-critical contexts and compare the two for differences
3. learn from present and former employees about trojan insertions
   1. pay, blackmail snitches etc. 
4. surveillance and signals intelligence
   1. lawful intercepts
5. embed informant developers into vendors

## Incidents

The following big-name incidents demonstrate important applied cybersecurity concepts

- 2014 Target: **lateral traversal**, meaning no security within the perimeter of enterprise networks 
- 2014 Ebay: sloppy administrative procedures resulted in the exploitation of a company-wide password reset function being exploited. Demonstrates the incompetency of CEOs in cybersecurity manners
- 2014 Home Depot: inadequate resources and funding provided to the cybersecurity department resulted in easily-preventable damages
- 2014 JP Morgan: vulnerabilities can oftentimes be found in data, not infrastructure
- 2014 Sony: an advanced BIOS attack was used to knock-out hardware. Sony Pictures and the Sony Company was deliberately segmented and air-gapped, which prevented further damages 
- 2015 Anthem: the value of what may be stolen varies greatly
- 2015 Penn State: companies will pay for cybersecurity expertise
- 2015 OPM Breach: an over-reliance on DMZ perimeter security is dangerous
- 2015 Harvard: sometimes when data is stolen it is an 'invisible' attack, meaning that it may be unknown if an attack even happened until far later (if at all). Also, cybersecurity incidents may be swept under the rug if it benefits involved parties
- 2015 T-Mobile: companies will blame partners for incidents, and third-party security becomes a problem when outsourcing takes place
- 2015 Comcast: data may be sold on the Darkweb, and there needs to be regulation to prevent companies from buying this leaked data
- 2015 Ukrainian Power Plant: there exist cyber-physical threats that can damage SCADA systems even without direct access to said systems
- 2016 Wendy's: first class-action lawsuit for cyber liability
- 2016 Myspace: don't reuse passwords across accounts
- 2016 DDoS on DYN: bots aren't needed to run on dedicated computers but may instead use IoT devices
- 2017 WannaCry: demonstrated the vulnerability of businesses to ransomware via ineffective backup practices as well as weak disaster recovery procedures
- 2017 Equifax: demonstrated the vulnerabilities of open source software
- 2019 Capital One: AWS/cloud misconfigurations demonstrate the growing pains of new technologies
- 2020 Twitter: showed why the concept of **least privilege** is necessary
- 2020 Solarwinds: consisted of code injection and vulnerabilities with software supply chains
- 2021 Colonial Pipeline: demonstrated the vulnerability of critical infrastructure
- 2021 Log4j: revealed vulnerabilities in executing remote code


# Threat-Vulnerability Analysis 

**Proactive** safeguards typically track indicators and as a result may lead to many false positives and subsequent overreactions

**Reactive** safeguards execute if there's a high confidence that an attack has occurred. This is un-acceptable when the consequences of waiting are too high

Safeguards may be functional, procedural, or policy-oriented

Defense in depth thrives on complimentary protections. Example: AAA (Authentication -> Access Control -> Audit)

The core basis of security is the following: entities, malicious or benign, seek to access or modify data, with security determining what, when, and how this is allowed

The four types of adversaries and their motivations are:

- **hacker**: mischief
- **hacktivist**: anger
- **criminal**: greed
- **nation state**: dominance

Vulnerabilities can generally be classified into the following types, each with their respective root causes:

- **system flaw**: complexity
- **lack of security**: budget
- **human actions**: ignorance
- **organizational**: irresponsibility

Threat types and their motivations are as follow: 

- **disclosure**: secrets
- **integrity**: degradation
- **denial of service**: disruption
- **theft/fraud**: money/goods

**It is a very bad idea to try and actively search for vulnerabilities**. There are simply far too many to find them all. Processes such as software testing only demonstrates the presence of vulnerabilities, not absence thereof 

The following represents key pieces of cybersecurity terminology:

- **asset**: resources that are required for an organization to meet its mission. Varies depending on what that mission is
- **threats**: malicious outcomes levied against assets
  - **confidentiality threat**: information disclosed to unauthorized parties
    - **privacy threat**: personal information disclosed to unauthorized parties
  - **integrity threat**: asset malicious altered or destroyed
  - **availability threat**: asset malicious blocked from authorized usage
  - **theft/fraud**: stealing service or product without paying
- **vulnerability**: a system or bug that can be malicious exploited
- **attack**: sequence of steps to exploit a vulnerability
- **risk**: probability x consequence

Asset prioritization plays a key role in security. The ultimate goal is resilience, which is achieved by making all system components replaceable

**Asset-focused security** provides a systematic method in which assets are identified, defined, and the threats against them listed. This enables the justification of security decisions and the prioritization of recommendations based on needs hierarchies and available resources

Threat-Asset matrices visualize this concept:

|Threat/Asset|Threat 1|...|Threat m|
|-|-|-|-|
|**Asset 1**|P = 3,2,1 <br /> C = 3,2,1 <br /> **R = P x C**|||
|...||||
|**Asset n**|||P = 3 <br /> C = 2 <br /> **R = 6**|

In the above matrix, each asset is listed along with the corresponding threats that it may face (typically in terms of the CIA triad plus a few others dependent on the situation). The risk of each threat on each asset is estimated by multiplying the estimated probability of such a threat occurring by the estimated magnitude of its impact. Estimates are on a simple scale such as (3,2,1) using an ordinal scheme

# Authentication Protocols

There are three methods of cryptanalysis:

- **ciphertext only**: black box 
- **known plaintext**: the cryptanalyst can observe hints but has no control over the system. Enables the creation of a tiny codebook through observing repeated trends and patterns 
- **chosen plaintext**: the cryptanalyst has the encryption function. Enables the creation of an extensive codebook through experimentation

There are two requirements to protect encrypted data:

1. the encryption function must be cryptographically hard
2. cleartext and ciphertext domains must be huge

**Authentication**: process of validating a reported identity. There is no absolute right answer. Instead, the other party must be convinced (there is no control group to compare known correct answers)

## Bypassing Authentication

There exist different zones wherein authentication takes place: 

- **zone 1**: client. Most attacks start here
- **zone 2**: network. Harder, but once unlocked can easily be scaled
- **zone 3**: server

Perfect cryptography does not exist. For example, a solution may be 'perfect' in zone 2, but what happens if its keybook is stolen in zone 1?

Passwords are easy to use but are vulnerable

- **attack surface**: all methods and interfaces through which your system may be reached and attacked. Password storage and management systems are extremely vulnerable
- password reuse is a common problem

## Kerberos

A symmetric key protocol used for SSO. Using this, a client can authenticate to a server without a password on a local area network

**Key Distribution Center (KDC)**: enables conventional cryptography, meaning that PKI is not required

Steps:

1. enter local Kerberos password to enable what is to come
2. A requests a **ticket generating ticket (TGT)** and a session key
3. KDC creates a session key and the TGT
4. KDC sends session key and TGT to A, encrypted with $K_A$
5. A decrypts the received message to get the session key and TGT. Due to encryption, the adversary can't get the session key
6. A requests to connect with B and provides the TGT and the **authenticator** (the time encrypted with the session key)
7. KDC creates a session key $S_{AB}$ and a ticket to B $T_B$. This is for A (client) to talk to B (server)
8. KDC sends $S_{AB}$ and $T_B$ to A
9. A decrypts received message to get $S_{AB}$ and $T_B$
10. A sends B $T_B$
11. B decrypts $T_B$ and checks the time

# Symmetric Cryptography

**Conventional cryptography**: five-tuple of (Enc, Dec, P, C, K)

Two basic design strategies of encryption algorithms:

- substitution cipher: linear or exponential
- transposition cipher: matrix arithmetic to represent and manipulate text (linear algebra)

**DES**: 56-bit key, 64-bit block, 16 rounds. Deprecated

- **3DES**: 168-bit key

**AES**: 128, 192, or 256-bit key, 128-bit plaintext

Block chaining (**invented by IBM ~40 years ago**):

- **covert channel**: mechanism that can be used for communication that wasn't intended for communication
- block chain: what came before matters (current encryption is taken in context of past events)
- previously generated hash is used in the computation of the current one

# Public Key Cryptography (PKI)

Problems of conventional cryptography:

- vulnerable to prediction
- $2^56$ is small
- scaling issues

PKI replaces the key management center, allowing symmetric key cryptography to remain the same operationally but limiting its scope. THe following properties of conventional cryptography must be maintained:

- secrecy between A and B (E can't read messages)
- authentication of A by B (E can't spoof)
- must scale

PKI basics:

- A generates pair of keys $P_A$ and $S_A$
- B generates pair of keys $P_B$ and $S_B$
- requirements to provide scaling:
  - keep $S_A, S_B$ secret to A, B
  - make $P_A, P_B$ public to all
  - no KDC required to generate keys

In cybersecurity, the development of supporting infrastructure (e.g., PKI) is just as important as the development of technologies (e.g., encryption algorithms) themselves

To **maintain secrecy and authentication**: encrypt messages with private key and then with the public key of the recipient: $ENC_{pub}(ENC_{pri}(k))$ 

- encryption with the public key requires a private key to decrypt (**secrecy**)
- encryption with your own secret key provides authentication (**digital signature**)

## Diffie-Hellman Secure Key Exchange

Used to get keys from A to B without the use of a KDC. Uses the same principle as above, replacing message m with the key in question

Each party generates a significantly large random number, a and b. Large primes p and g are publicly known

B shares $g^bmodp$ with A, and A shares $g^amodp$ with B

$(g^bmodp)^a = (g^amodp)^b = g^{ab}modp$ for both, therefore secure 

Invented by James Ellis in 1969, but due to the nature of classified work he never got credit for it

## RSA

Used in the generation of public and private keys. Two large primes are picked and are kept secret. They are multiplied. The product is the public key, and the private key is one of the original primes (knowing one of the primes, it is easy to divide: public/prime)