<a href="https://colab.research.google.com/github/brendanpshea/computing_concepts_python/blob/main/IntroCS_08_CyberSecurity.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# Cybersecurity
### Brendan Shea, PhD (Brendan.Shea@rctc.edu)


Welcome to the exciting world of cybersecurity! In today's digital age, cybersecurity is more important than ever, as our daily lives become increasingly interconnected and reliant on technology. From online banking to social media, we rely on the internet for a multitude of tasks, making the need to protect our digital assets and personal information a top priority. In this lsson, we will delve into the fascinating world of cybersecurity, providing an engaging mix of concepts, real-world examples, and simple Python examples where applicable.

#### What is Cybersecurity?

At its core, cybersecurity is the practice of protecting computer systems, networks, and data from theft, damage, or unauthorized access. It encompasses a range of technologies, processes, and practices designed to safeguard digital information and infrastructure from cyber threats. Understanding the basic concepts of cybersecurity, such as Confidentiality, Integrity, and Availability (often referred to as the **CIA triad**), is essential to building a strong foundation in the field.

-   **Confidentiality** ensures that sensitive information is only accessible to authorized individuals.
-   **Integrity** guarantees the accuracy and reliability of data by preventing unauthorized modifications.
-   **Availability** ensures that information and systems are accessible to authorized users when needed.

By exploring the intricacies of cybersecurity, you'll gain a newfound appreciation for the critical role it plays in our modern world. Moreover, you'll learn about the ever-evolving landscape of cybercrime, the various actors involved, and the motivations driving them. Additionally, you'll be introduced to cryptography, the art of securing communication through encryption, and its role in protecting sensitive data.

## Cybersecurity Threats and How They Work

The digital world is rife with various types of cybersecurity threats, each with unique mechanisms and potential impacts. They can range from harmful software infiltrating your systems, deceptive emails tricking you into revealing sensitive information, to malicious software that locks you out of your data until a ransom is paid. Let's explore these threats in detail to understand how they work.

### Malware

Malware, short for "malicious software," includes several types of harmful software such as viruses, worms, Trojans, and ransomware. The common thread among these various forms is their intent: to harm your computer, network, or data.

-   *Viruses* are a type of malware that attach themselves to clean files and spread throughout a computer system, infecting files with malicious code.

-   *Worms* are similar to viruses in their ability to self-replicate, but they typically spread without human intervention or any host program.

-   *Trojans* disguise themselves as legitimate software and trick users into downloading and installing them. Once on a user's system, they can execute malicious activities.

How does malware typically infiltrate a system? It often arrives through email attachments or software downloads. For example, you might receive an email that seems to come from a known contact with an attachment. When you open the attachment, the malware is installed on your computer.

### Phishing

Phishing is a form of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, posing as a trusted entity, tricks the victim into opening an email, instant message, or text message.   The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information.

An example of a phishing attack might be an email that appears to be from your bank. It may look exactly like the type of message your bank would send, complete with official-looking logos and language. The email might warn you of a security alert and ask you to log in to your account via a link in the email. However, if you click on the link, you'll be taken to a fake website designed to look like your bank's website where your information would be collected by the attackers.

### Ransomware

Ransomware is a type of malicious software designed to block access to a computer system or files until a sum of money (a ransom) is paid. This is often done by encrypting files on the target's system, making them inaccessible, and demanding a ransom to decrypt them.

Here's how a typical ransomware attack works: an unsuspecting user clicks on a malicious link, either in an email or on a website, that downloads the ransomware onto their computer. The ransomware then encrypts the user's files. When the user tries to access the files, they find them locked and receive a message demanding payment to unlock the files.

An infamous example is the WannaCry attack that struck in May 2017. It took advantage of a vulnerability in many versions of Windows to automatically spread across networks, encrypting files and demanding a ransom in Bitcoin to unlock them. The attack affected over 200,000 computers in 150 countries and caused significant disruption, particularly in the healthcare sector.

### SQL Injection

SQL (Structured Query Language) injection is a coding technique that attackers use to insert malicious SQL statements into a web application's database query. The attacker can exploit vulnerabilities in a web application's software to manipulate its database, which often contains sensitive user information.

Imagine a website with a login form asking for a username and password. The backend code might contain an SQL query that looks like this: SELECT * FROM Users WHERE Username='INPUT_USERNAME' AND Password='INPUT_PASSWORD'.  Now, suppose an attacker enters ' OR '1'='1 in both the username and password fields. The SQL query becomes: SELECT * FROM Users WHERE Username='' OR '1'='1' AND Password='' OR '1'='1'. Since '1'='1' is always true, the result of this query is that the attacker is granted access even without a valid username or password.

### Distributed Denial-of-Service (DDoS)

In a Distributed Denial-of-Service attack, an attacker overwhelms a network, server, or website with traffic, causing it to be slow for legitimate users or even go offline completely. This is usually done using a botnet, a network of private computers infected with malicious software and controlled as a group without the owners' knowledge.

Imagine a highway filled with cars trying to reach a single destination. Now, imagine a malicious actor sends a fleet of trucks to clog up all lanes, blocking any other cars from reaching the destination. In a DDoS attack, the highway is your network, and the trucks are the flood of illegitimate requests preventing the real users (cars) from accessing your service or website (the destination).

### Cross-Site Scripting (XSS)

Cross-Site Scripting attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

For instance, let's say there's a website that allows users to post comments and it doesn't properly validate or escape input. An attacker could post a comment with a script in it that steals users' cookies. When another user views that comment, the script runs in their browser, sending their cookies to the attacker. With those cookies, the attacker could impersonate the user.

These attacks illustrate the variety and sophistication of threats that can challenge even well-secured systems. Understanding them is a crucial step in building a robust defense.

## Types of Threat Actors
In the realm of cybersecurity, the term **threat actor** refers to an entity—be it an individual, a group, or an organization—that poses a potential risk to the security of a system. Understanding the types of threat actors can illuminate the various motives, resources, and tactics at play in cybersecurity breaches.

**Internal Actors** are individuals within an organization who have legitimate access to its systems. These actors may either be negligent or malicious. In the case of negligence, an employee might leave a laptop containing sensitive information unattended at a coffee shop. The risk here isn't just the loss of the device, but the potential for the data to be exploited. On the malicious side, consider an employee who has grown discontented with the company and decides to sell confidential data to competitors. Internal threats are particularly tricky because they exploit the trust and access granted to them, making their actions harder to anticipate and detect.

**Hacktivists** are driven by ideological motives rather than financial gain. These are individuals or groups that use cyberattacks to promote a political agenda or social change. Take the example of Anonymous, a loosely affiliated group that has hacked websites to protest against issues such as censorship or animal cruelty. The attacks often involve defacing websites or leaking sensitive information to embarrass the target. What distinguishes hacktivists is their willingness to openly defy laws and norms to promote a cause they deeply care about.

**Organized Crime Groups** operate with a clear financial motive. These groups are well-coordinated and often employ experts in various fields of cybersecurity to accomplish their objectives. One common tactic is ransomware, where the group encrypts an organization's data and demands payment for its release. Another example would be carding schemes, where stolen credit card information is sold on the dark web. These groups are motivated by profit and will generally target entities that offer the highest potential financial gain with the least risk of being caught.

**Nation-State Actors** (or **Advanced Persistent Threats**) are perhaps the most sophisticated of all. These are individuals or groups backed by a country's resources and political agenda. They target other nations' infrastructures, government secrets, or commercial intellectual property. A famous example is the alleged Russian interference in the 2016 U.S. Presidential elections. The intent was not just to steal information, but to sway public opinion and affect the outcome of a critical democratic process. These actors are equipped with advanced tools and operate under the veil of state secrecy, making them exceedingly difficult to trace and counteract.

**Script Kiddies** are the novices of the hacking world. These individuals lack the expertise to develop their own hacking tools, so they use pre-made software to launch attacks. Despite their limited skills, they can still cause considerable damage. For instance, a script kiddie might use a readily available program to create a denial-of-service attack, overwhelming a school's computer network and disrupting its operations for a period. The motivation is often not financial or ideological, but rather a search for thrills or notoriety.

Understanding these diverse actors is critical for shaping effective cybersecurity strategies. Each comes with its own set of tactics, motivations, and levels of sophistication, requiring a nuanced approach to defense and mitigation.

## Principles of Secure Coding
Secure coding is the practice of writing programs that are resistant to intrusion and misuse. By adhering to secure coding principles, programmers can protect systems from threats and vulnerabilities. Here are several key principles of secure coding:

### Input Validation:

Input validation is the process of ensuring an application's input data is correct, meaningful, and secure before it's used. This process helps to prevent improperly formed data from entering an information system.  For instance, if a program expects an input to be a number, input validation will check that the user indeed entered a number.

In [None]:
def validate(input):
    if not input.isdigit():
        print("Invalid input. Please enter a number.")
    else:
        print("Valid input.")

my_input = input("Please enter a number: ")
validate(my_input)


Please enter a number: 32sd
Invalid input. Please enter a number.


### Least Privilege:

The principle of least privilege advises that code should operate with the least amount of privilege necessary to complete its function. This minimizes the permissions an attacker could gain if they manage to exploit the software. For example, a Python script running as a system administrator would have unrestricted access to the system. If compromised, it could wreak havoc. But if the script runs as a lower-privilege user, any exploit's potential for damage is significantly reduced.

### Defense in Depth:

Defense in depth is a strategy that uses multiple layers of defense to guard against security failures in other areas. Just like a medieval castle doesn't rely on a single wall for protection, software shouldn't depend on a single security measure.  In Python, one layer could be input validation, ensuring only valid data is accepted. Another layer might be using parameterized queries or prepared statements to prevent SQL Injection attacks.

### Fail Securely:

When a function fails, it should handle the failure in a way that won't allow an exploit. This can involve shutting down the process, logging out the user, or other actions that limit access. For example, let's say we have a Python script that requires a user to enter a password to access a resource. If the password check fails, the process should end immediately and securely, not providing any unintended access or information to the user.

```

def access_resource(password):
    if not check_password(password):
        print("Access denied.")
        return  # End the process immediately
    # Access the resource
```

### Don't Trust Security Through Obscurity:

Security through obscurity is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms. Relying on secrecy of design or implementation to provide security is not a good idea. Any system should be secure even if the attacker knows everything about how it works.


## Excellent Encryption
Encryption is one of the fundamental building blocks in the field of cybersecurity. It plays a crucial role in protecting data in transit and at rest, and is used in a multitude of applications, from secure communications and transactions to password protection and identity verification.

Technically, **encryption** is a method of converting plain text or data into a code (cipher text) to prevent unauthorized access. The process uses an algorithm (or cipher) and a key to transform the original data into a format that can only be read or processed after it's been decrypted.

There are two primary types of encryption: symmetric encryption and asymmetric encryption. We'll discuss each of these in turn.

### Symmetric Encrpytion
**Symmetric Encryption** is a method of cryptography where the same key is used for both encryption and decryption. The term "symmetric" captures the essence of this approach: balance and uniformity in the way the data is secured and accessed. In this model, the key serves as a shared secret between the sender and receiver.

Imagine you're sending a confidential letter through a courier. You place the letter in a box and lock it with a padlock. You then send the key for that padlock separately to the receiver. Upon receiving both the box and the key, the receiver unlocks the padlock to read the letter. Here, the padlock is akin to the encryption algorithm, and the key you used to lock and unlock the box is the symmetric key. The key must be securely shared and kept confidential between both parties, as anyone with access to it can unlock the box---or in our digital analogy, decrypt the data.

One of the major strengths of symmetric encryption is its speed and computational efficiency. Because it uses a single key, the algorithms can be much faster and require less computational power. This makes it ideal for encrypting large volumes of data. For example, streaming services often use symmetric encryption to securely deliver video content to viewers. The data packets are encrypted with a key, and the same key is used by your device to decrypt and display the video.

However, symmetric encryption has a significant drawback: the problem of key distribution. Both the sender and receiver need access to the same key, and transferring this key securely is a challenge. If someone intercepts the key during its transfer, the security of the encrypted data is compromised. This is akin to someone intercepting the key to your padlocked box before it reaches its intended recipient.

To mitigate this risk, symmetric encryption is often used in conjunction with asymmetric encryption, which involves a pair of keys: one public and one private. The symmetric key is securely exchanged using asymmetric encryption, and once both parties have the symmetric key, they switch to using the more efficient symmetric encryption for the actual data transfer.

### Asymmetric Encryption
Asymmetric Encryption, also known as Public-Key Cryptography, employs two different but mathematically linked keys: a public key and a private key. Unlike symmetric encryption, where one key serves both to encrypt and decrypt, asymmetric encryption uses the public key for encryption and the private key for decryption. This duality solves some of the limitations of symmetric encryption, most notably the problem of secure key distribution.

Picture a mailbox on the street: anyone can place a letter inside it (public key), but only the person with the correct key can open it to retrieve the letters (private key). In the digital realm, the public key is openly shared and used by anyone to encrypt messages or verify digital signatures. However, the private key remains confidential and is used to decrypt messages or create digital signatures.

One of the most common applications of asymmetric encryption is in secure communications over the internet. When you visit a secure website (indicated by HTTPS in the URL), your browser and the server perform a handshake using asymmetric encryption. Initially, the server sends over its public key, which your browser uses to encrypt a symmetric key. This encrypted symmetric key is sent back to the server, which uses its private key to decrypt it. Now both parties have a symmetric key, which they use for the rest of the session to encrypt and decrypt data rapidly.

Another important application is digital signatures, which provide a method for verifying the integrity and origin of a message or document. When you sign a digital document, a hash of the document is created and then encrypted with your private key. The recipient, using your public key, can decrypt the hash and compare it with the hash of the received document. If they match, the document is both authentic and unchanged.

Asymmetric encryption also enables secure key exchange, often in tandem with symmetric encryption. In this hybrid approach, asymmetric encryption safely delivers a symmetric key between two parties. Once received, the more computationally efficient symmetric encryption takes over for the actual data transmission. This is exemplified in protocols like SSL/TLS, which secure web traffic.

However, it's worth noting that asymmetric encryption is computationally more intensive than symmetric encryption. Encrypting large volumes of data solely with asymmetric encryption would be impractical due to the time and computational resources required.


## Hashing
Closely related to encryption, **Hashing** is a process that converts an input, often a string of text, into a fixed-length string of characters. It serves as a **one-way function**, meaning you can easily produce a hash from a given input, but reversing the process to recover the original input is computationally difficult. The beauty of hashing lies in its sensitivity: even a minor alteration in the input generates a dramatically different hash.

In cybersecurity, hashing plays a pivotal role in ensuring data integrity and confidentiality. One common application is in password storage. Rather than storing the actual passwords, systems keep their hash values. When you attempt to log in, the system hashes the password you enter and compares it with the stored hash. This way, even if an attacker gains access to the database, they only find indecipherable hashes instead of actual passwords. For example, your password might be "BlueSky123," but the database stores something like "a8d9bh28z6x8." Even if the database is compromised, the password remains secure.

Hashing is also integral to data verification. Consider file transfers or software downloads; how do you ensure that the file hasn't been tampered with during transit? The sender can produce a hash of the original file and send it along with the file itself. The recipient then hashes the received file and compares it to the received hash. If the hashes match, the file is intact. A practical example is downloading a software update; the hash confirms you're installing the genuine software, not a malicious version.

Another application is in **digital signatures**, which validate the authenticity of a message or document. When you digitally sign a document, a hash of the document is created and encrypted using your private key. The recipient can then decrypt it using your public key, recreate the hash of the document they received, and compare the two. If they match, not only is the document verified as coming from you, but it also confirms that it has not been altered in transit.

In blockchain technology, hashing secures the chain of transactions. Each block contains a hash of the previous block, creating an immutable chain. Any attempt to alter a transaction would change its hash, and subsequently, every hash of each block that follows. This makes tampering evident and maintains the integrity of the entire transaction history.

In essence, hashing is a cornerstone of cybersecurity. It provides a robust method for protecting data, verifying integrity, and ensuring authenticity. It's a silent guardian, one that offers us a higher degree of trust in the digital landscape.

## The Caesar Cipher: A Case Study
One of the earliest and simplest methods of encryption is the Caesar Cipher, named after Julius Caesar, who reportedly used it for his private correspondence. It's a type of substitution cipher where each letter in the plaintext (the original message) is shifted a certain number of places down or up the alphabet.

For example, with a shift of 1, A would be replaced by B, B would become C, and so on. The key in a Caesar cipher is the number of positions each letter has been shifted. In our example, the key is 1.

Here's a simple Python function that implements a Caesar cipher:

In [None]:
def caesar_encrypt(text, shift):
    # Begin with an empty string
    encrypted = ""
    # Loop through each character in the text
    for char in text:
        # Check if the character is a letter
        if char.isalpha():
            # Shift the character by the shift amount, ord() returns the unicode code point for the character
            shifted = ord(char) + shift
            # Check if the character is lowercase
            if char.islower():
                # Lowercase 'a' is 97, 'z' is 122, so we need to wrap around if the shifted character is outside of that range
                encrypted += chr((shifted - ord('a')) % 26 + ord('a'))
            else:
                # Uppercase 'A' is 65, 'Z' is 90, so we need to wrap around if the shifted character is outside of that range
                encrypted += chr((shifted - ord('A')) % 26 + ord('A'))
        else:
            # If the character is not a letter, just add it to the encrypted string
            encrypted += char
    return encrypted

def caesar_decrypt(text, shift):
    return caesar_encrypt(text, -shift)


# Example
plaintext = input("Enter plaintext: ")
shift = 3
encrypted = caesar_encrypt(plaintext, shift)
decrypted = caesar_decrypt(encrypted, shift)

print(f"Encrypted message: {encrypted}")
print(f"Decrypted message: {decrypted}")

Enter plaintext: Encryption is excellent. Everyone needs privacy!
Encrypted message: Hqfubswlrq lv hafhoohqw. Hyhubrqh qhhgv sulydfb!
Decrypted message: Encryption is excellent. Everyone needs privacy!


### Breaking the Caesar Cipher

Despite its historical significance, the Caesar cipher is extremely easy to break, even without knowing the key. One common method is frequency analysis.

**Frequency analysis** is based on the fact that in any given language, certain letters and combinations of letters occur with predictable frequency. For example, in English, 'E' is the most common letter, followed by 'T' and 'A'. By analyzing the frequencies of letters in the encrypted message, we can make educated guesses about what each letter represents.

Here's a simple Python program that uses frequency analysis to decrypt a message encrypted with a Caesar cipher. In this example, we use only the letter 'e', but this is often enough to break this cipher.

In [None]:
from collections import Counter

def frequency_analysis(text):
    # Count the frequency of each letter in the text
    freq = Counter(char.lower() for char in text if char.isalpha())
    # the dictionary contains the frequency of each letter in the text
    return dict(freq)

def find_most_common(text):
    # Find the most common letter in the text
    freq = frequency_analysis(text)
    # Return the letter with the highest frequency
    return max(freq, key=freq.get)

def break_caesar_cipher(text):
    # Find the most common letter in the text
    most_common = find_most_common(text)
    # Find the shift needed to decrypt the text
    shift = ord(most_common) - ord('e')  # Assuming 'e' is the most common letter in English
    # Decrypt the text
    return caesar_decrypt(text, shift)

# Example
encrypted = input("What message would you like me to crack? ")
decrypted = break_caesar_cipher(encrypted)
print(f"Decrypted message: {decrypted}")


What message would you like me to crack? Hqfubswlrq lv hafhoohqw. Hyhubrqh qhhgv sulydfb!
Decrypted message: Encryption is excellent. Everyone needs privacy!


### Conquering Caesar: Modern Encryption Methods
Modern encryption methods are much stronger than Caesar cipher. However, the technology to "crack" such methods is also continually improving, which mean we must continually update encryption.  Some of the most important encryption standards/methods include the following.


| Standard | Description | Logic Behind It | Use Cases |
| --- | --- | --- | --- |
| RSA (Rivest-Shamir-Adleman) | An asymmetric cryptographic algorithm that uses two keys: a public key for encryption, and a private key for decryption. | RSA's security comes from the computational difficulty of factoring large prime numbers. A message encrypted with the public key can only be decrypted with the private key. | Secure emails, SSL/TLS for web traffic, VPNs, digital signatures. |
| AES (Advanced Encryption Standard) | A symmetric encryption algorithm that uses the same key for both encryption and decryption. | AES operates on blocks of data and performs multiple rounds of transformation for encryption. It's considered secure due to its large key sizes (128, 192, and 256 bits) and the computational impracticality of trying all possible keys (brute force attack). | Encrypting data at rest (e.g., files, databases), secure file transfer, wireless security (WPA2). |
| SHA (Secure Hash Algorithm) | A family of cryptographic hash functions. It takes an input and produces a fixed-size string of bytes, typically a message digest. | The logic is to ensure data integrity. The same input will always produce the same hash output. Any small change in input produces a drastic change in output (avalanche effect). It is computationally infeasible to generate the original input value from its hash, or to find two different inputs that produce the same hash (collision resistance). | Confirming data integrity, storing passwords securely, digital signatures. |
| HTTPS (Hyper Text Transfer Protocol Secure) | The secure version of HTTP. Data transferred is encrypted using Transport Layer Security (TLS) or, formerly, its predecessor, Secure Sockets Layer (SSL). | HTTPS uses SSL/TLS protocols to provide secure communication over a network. The SSL/TLS handshake process securely exchanges encryption keys between the client and server, allowing for encrypted communication. | Secure web browsing, e-commerce transactions, internet banking. |
| SSL/TLS (Secure Sockets Layer / Transport Layer Security) | Protocols for establishing secure communication between a client and server. | The logic is to provide secure communication over a network. It involves a handshake process where the client and server agree on various parameters to establish a secure connection, and then symmetric encryption is used to secure the communication. | Secure web browsing (HTTPS), email (SMTPS, IMAPS), VPNs. |

### Table: Code to Remember (Caesar)

| Description | Python Code |
| --- | --- |
| Declare a `caesar_encrypt` function with parameters `text` and `shift` | `def caesar_encrypt(text, shift):` |
| Initialize an empty string `encrypted`, loop through each character in `text` | `encrypted = ""; for char in text:` |
| If the character is a letter, compute its unicode code point shifted by `shift` | `if char.isalpha():; shifted = ord(char) + shift` |
| If the character is lowercase, shift within lowercase ASCII range ('a' to 'z') and add to `encrypted` | `if char.islower():; encrypted += chr((shifted - ord('a')) % 26 + ord('a'))` |
| If the character is uppercase, shift within uppercase ASCII range ('A' to 'Z') and add to `encrypted` | `if char.isupper():; encrypted += chr((shifted - ord('A')) % 26 + ord('A'))` |
| Declare `frequency_analysis` function with parameter `text`, return a dictionary of frequency counts of each letter in `text` | `def frequency_analysis(text):; freq = Counter(char.lower() for char in text if char.isalpha()); return dict(freq)` |
| Declare `break_caesar_cipher` function with parameter `text`, find most common letter in `text`, determine shift, and decrypt `text` | `def break_caesar_cipher(text):; most_common = find_most_common(text); shift = ord(most_common) - ord('e'); return caesar_decrypt(text, shift)` |

### Discussion Questions: Caesar Cipher
1. Role of Encryption: Discuss why Julius Caesar might have chosen to use a cipher for his personal correspondence. In what situations today might you want to use encryption?

2. Understanding the Code: Walk through the provided Python functions caesar_encrypt and caesar_decrypt. How do they implement the Caesar cipher, and how do they handle different cases such as uppercase and lowercase letters and non-letter characters?

3. Weaknesses of the Caesar Cipher: Why is the Caesar cipher considered a weak form of encryption by today's standards? Can you think of any ways to make it more secure?

4. Frequency Analysis: The case study shows how to use frequency analysis to crack a Caesar cipher. Why does this method work? What characteristics of the English language does it take advantage of? Could this method work for other languages or ciphers?

5. Ethical Considerations: The Caesar cipher can be broken with frequency analysis. What are the ethical considerations when it comes to breaking ciphers or cracking codes? When, if ever, might it be justified?

## Answers: Caesar Cipher
1.

2.

3.

4.

5.

## Securing Networks
To understand how to protect a network, we first need to revisit the structure of a network itself, often conceptualized as the four-layer TCP/IP network model:

1.  Network Interface Layer: This is the lowest layer, and it's responsible for transferring data between a device and the network. It includes protocols for interacting with the physical network, such as Ethernet for wired connections or Wi-Fi for wireless ones.

2.  Internet Layer: This layer handles routing data across networks using the Internet Protocol (IP). Each device on a network has an IP address, and this layer helps get data from the source IP address to the destination IP address.

3.  Transport Layer: This layer provides reliable data transfer between devices. It uses protocols like TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), each with different trade-offs between reliability and efficiency.

4.  Application Layer: The highest layer is where actual user applications (like your web browser or email client) operate. Protocols at this layer include HTTP for web browsing and SMTP for email.

Data is sent across the network in units called packets, which include both the data being sent and information about where it's going and how it should get there.



### A Few Things About Firewalls
Perhaps the most central technology in network security is the **firewall.** In essence, a firewall is to a computer network what a security checkpoint is to a government building. It checks credentials, inspects content, and decides who gets in and who stays out based on a pre-configured set of rules. More formally, a firewall decides which data transfers are "allowed" and which are ot.

Firewalls manifest primarily in two forms: hardware firewalls and software firewalls. A **hardware firewall** is a standalone device that acts as a gatekeeper between your network and the Internet at large. It's akin to a fortress wall: the first line of defense that an intruder encounters. A **software firewal**l, conversely, is installed on individual computers within a network. This is comparable to security personnel stationed at various points inside a building, each responsible for a specific area. Some networks employ both types, creating a layered defense strategy known as **defense in depth**.

At the Network Interface Layer, the most foundational layer, basic firewalls can engage in **MAC filtering**. This is akin to a bouncer at a club checking IDs at the door. Each network card has a unique Media Access Control (MAC) address, and the firewall can either allow or disallow these addresses, thus permitting or restricting devices from even connecting to the network.

Moving up, we reach the Internet Layer, where the primary concern is routing packets of data to their correct destinations. Here, basic firewalls commonly employ **IP filtering**. This technique evaluates the source and destination IP addresses contained in each packet's header. Think of this as an advanced postal sorting system that scans the return address and destination of each parcel to decide if it should be forwarded, returned, or discarded.

The Transport Layer is concerned with end-to-end communication and data integrity. More technologically advanced firewalls operating at this level often utiliz**port filtering** and **stateful inspection**. Port filtering is like checking the label on a package to see which department it's intended for; certain departments may only accept packages at particular times or from certain senders. Stateful inspection is more dynamic; it monitors the state of active connections and makes real-time decisions. This is analogous to a security system that not only checks credentials but also monitors behavior within the premises to detect any suspicious activity.

Finally, at the Application Layer, some firewalls can inspect the actual content of the data packets. This is where **Deep Packet Inspection (DPI)** or application-level gateways come into play. In our post office analogy, this would be equivalent to actually opening and inspecting the content of parcels and letters to ensure they meet all regulations.

### Other Network Security Technologies
In the quest for robust network security, firewalls are but one component in a complex architecture of defense mechanisms. Several other technologies and concepts play critical roles in safeguarding a network, and their functionalities often map to specific layers of the four-layer network model.

**Virtual Private Networks (VPNs)** operate predominantly at the Transport and Application Layers. A VPN encrypts data traffic, effectively creating a secure tunnel through which information can pass. Imagine a diplomatic pouch in international law: its contents are inviolable, and it moves securely between locations. VPNs ensure that even if data packets are intercepted, deciphering their contents becomes a formidable challenge.

**Intrusion Detection Systems (IDS)** and **Intrusion Prevention Systems (IPS)** primarily work at the Internet and Transport Layers. These systems act like vigilant security cameras combined with alarm systems. They continuously monitor network traffic for suspicious patterns or anomalies. An IDS alerts administrators about a possible intrusion, while an IPS takes immediate action to block or redirect the malicious traffic. They are often incorporated into more advanced "firewalls."

**Antivirus Software** chiefly functions at the Application Layer. It scans files and programs to detect malicious code or unauthorized activities. This is akin to a specialized biosecurity scanner that detects hazardous substances on items entering a controlled environment. Antivirus software ensures that the data circulating within the network is clean and trustworthy.

**Secure Sockets Layer (SSL)** and its successor, **Transport Layer Security (TLS)**, operate at the Transport Layer. These protocols encrypt the data packets during transmission, guaranteeing the confidentiality and integrity of the information. Think of this as sending a letter in a sealed envelope with a wax seal; the recipient can be confident that the message has not been tampered with during its journey.

**Multi-Factor Authentication (MFA)** is a security measure that usually interacts with the Application Layer. MFA requires users to provide multiple forms of identification before gaining access to the network. It's similar to a high-security facility that requires an ID card, a fingerprint, and a passcode for entry. This multi-tiered approach significantly reduces the risk of unauthorized access.

Data Loss Prevention (DLP) software operates mainly at the Application and Transport Layers. DLP monitors and controls the transfer of sensitive data, preventing unauthorized leakage. Imagine a customs officer inspecting exports to ensure no contraband leaves the country; DLP serves a similar purpose for data exiting the network.

In summary, network security is not a solitary endeavor but a collaborative effort involving various technologies, each with specific roles across the four-layer network model. Like the multiple rings of a fortified citadel, these technologies work in concert to provide a comprehensive shield against a wide range of cyber threats.

## What Makes a Good Password?
In the digital age, a password acts as the first line of defense in protecting your personal information. Think of it as the key to your home; if it's too simple, you're practically inviting burglars in. The problem with simple passwords, like "password123" or your birthdate, is that they are shockingly easy for a computer to guess. A skilled hacker can use a technique called **brute-force attack** to try out every possible combination of characters. For simple passwords, this process can take mere seconds.

In the language of computer science, simple passwords have low **entropy**, which is a measure of unpredictability (or "degree of chaos"). The higher the entropy, the harder the password is to crack. This is why you often see password policies demanding a certain length and a mix of characters, numbers, and symbols. These requirements aim to increase the entropy, making the password more resistant to attacks. Think of it like a game of dice. If you're rolling a single six-sided die, there are only six possible outcomes. But if you're rolling four dice of different types---one four-sided, one eight-sided, one twelve-sided, and one twenty-sided---the number of possible outcomes skyrockets. More outcomes mean more entropy, and thus, a more secure "game."

One powerful strategy for creating a strong password is to use **Four Random Words**. This might sound counterintuitive---how can random words be safer than a jumble of numbers, letters, and symbols? The magic lies in the length and randomness. Four unrelated words, like "CupcakeGiraffeLaptopSky," create a long password that's also easy to remember. When you pick four random words, you're essentially increasing the pool of possible outcomes (and thus, increasing entropy). English has about 170,000 words in current use. So, picking one word at random is like rolling a 170,000-sided die. Now imagine rolling that die four times. The level of unpredictability, or entropy, in this password is substantial. Yet, it's a kind of chaos that's easy for you to make sense of, making the password both secure and memorable.

Another idea to fortify your password is to employ a **passphrase**. This is a longer version of a password, usually a sentence or a line from a book. The idea is to create something that has personal meaning to you but would appear random to anyone else. "TheQuickBrownFoxJumpsOverTheLazyDog" is an example. Passphrases combine length with complexity, making them doubly hard to crack. Imagine trying to pick a lock that not only has more pins but each pin has to be turned to an exact, seemingly random angle. That's the essence of a passphrase.

In both methods, the key to security is a blend of length and unpredictability. While Four Random Words offers the benefit of ease of recall, a passphrase may be even more secure, albeit at the cost of being slightly more difficult to remember. Whichever method you choose, you're making a significant stride in keeping your digital home safe and sound.



## Cybersecurity Frameworks

A cybersecurity **framework** is a series of guidelines for how an organization should manage and mitigate its cybersecurity risk. It provides a structured process for identifying potential threats, protecting against them, detecting when an incident occurs, responding effectively, and recovering afterward. A well-implemented cybersecurity framework can help an organization protect its sensitive data, maintain customer trust, comply with legal and regulatory requirements, and continue operations even under adverse conditions.

One important fraemwork is the **NIST Cybersecurity Framework**. This  set of guidelines is maintained by the National Institute of Standards and Technology, a US government agency. The framework was created to help organizations manage their cybersecurity risks. You can think of it like a roadmap that leads an organization from a state of being vulnerable to cyber threats to a place of resilience and readiness.

The NIST Framework has five core functions: Identify, Protect, Detect, Respond, and Recover. Let's take a closer look at each function with some real-world examples:

1. **Identify:** This is the starting point. The goal here is to understand what an organization needs to protect. For instance, imagine a company that develops video games. They might identify their game source code, player data, and internal communication systems as assets that need protection. They'll also look at potential risks, like hackers trying to steal their code or disrupt their games.

2. **Protect:** Once the organization knows what it needs to protect, the next step is to put safeguards in place. Going back to our game company, they might protect their source code by storing it on secure servers, limiting who has access to it, and using encryption to keep it safe. They could protect player data by implementing strong authentication measures and encrypting sensitive information like passwords.

3. **Detect:** Even with the best protections in place, there's always a chance that a cyber attack could happen. That's why the organization needs ways to detect potential threats. Our game company might use systems that monitor network traffic for signs of suspicious activity, like a sudden surge in traffic (which could indicate a denial-of-service attack) or repeated failed login attempts (which could suggest someone is trying to guess a password).

4. **Respond:** If a cyber attack does happen, the organization needs to be ready to respond effectively. The response will depend on the nature of the attack. If the game company detects that someone is trying to break into a server, they might respond by blocking the IP address that the attempts are coming from. If they find out that some player data has been leaked, they might respond by notifying the affected players, resetting passwords, and investigating how the leak happened.

5. **Recover:** After a cyber attack, the final step is recovery. The organization needs to restore any services that were disrupted, fix any vulnerabilities that were exploited, and take steps to prevent similar attacks in the future. For our game company, recovery might involve repairing and strengthening their server defenses, assessing any damage to their game code or player trust, and learning from the experience to improve their future cybersecurity practices.

By following the NIST Cybersecurity Framework, organizations have a comprehensive strategy to manage their cybersecurity risk. It provides a structured, systematic approach that helps them anticipate, prevent, and respond to cyber threats.

## Case Study: 10 Events that Made Cybersecurity
Cybersecurity is a rapidly evolving field, with its progression largely shaped by landmark events that punctuated the timeline of computer and internet technology. To truly understand the development and modern landscape of cybersecurity, one must revisit some of the most significant incidents that have occurred in recent history. Each event, like a flare in the dark, illuminating a new facet of the field, challenged established security practices and spurred the development of improved technologies, methodologies, and policies to combat emerging threats.

Let's journey back through time, exploring the events that have indelibly shaped modern cybersecurity, from the emergence of the first computer viruses to the dawn of AI-powered cyber threats.

### Brain (1986)

Our journey begins with the "Brain" boot sector virus, considered the first PC virus in the wild. Created by two Pakistani brothers, Basit and Amjad Farooq Alvi, Brain was not intended to be malicious. Rather, it was designed as a copyright enforcement mechanism for their medical software. The virus, which spread through floppy disks, replaced the boot sector of the disk with a copy of the virus and flagged the actual boot sector as bad.

While Brain was relatively benign, it opened the Pandora's box of what was possible with self-replicating code. This necessitated the development of the first antivirus software, and security experts began to consider the potential ramifications of malicious self-replicating software.

### Morris Worm (1988)

Our next stop is the infamous Morris Worm, widely regarded as the first worm to spread across the internet. Created by Robert Tappan Morris, a graduate student at Cornell University, the worm was intended to measure the size of the internet. However, due to a coding error, it replicated excessively, causing significant slowdowns and crashes, thereby affecting approximately 6,000 computers, which was a substantial portion of the internet at the time.

The Morris Worm was a wakeup call for the cybersecurity world. It demonstrated the devastating potential of network-based attacks and the vulnerability of the internet. This event led to the formation of the Computer Emergency Response Team (CERT) by DARPA, marking the birth of organized, coordinated responses to cybersecurity incidents.

### ILOVEYOU (2000)

At the turn of the millennium, a destructive worm disguised as a love confession wreaked havoc on computers worldwide. The ILOVEYOU worm, created by two Filipino programmers, spread via email with the subject line "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.txt.vbs". The worm overwrote image files and sent copies of itself to all of the infected user's email contacts.

This attack exploited both technological and human vulnerabilities, demonstrating the effectiveness of social engineering. It exposed weaknesses in email systems and the susceptibility of users to phishing attacks. The ILOVEYOU worm led to a heightened awareness of email security, inspiring improvements in email clients and servers to prevent such large-scale infections in the future, and a greater emphasis on user education to recognize and avoid such threats.

### MyDoom (2004)

As we journey deeper into the 2000s, we encounter MyDoom. This infamous worm still holds the dubious honor of being one of the fastest-spreading email-based worms in history. MyDoom spread via email, using an infected user's contact list to propagate itself. But unlike previous worms, it also had a secondary payload: it installed a backdoor into the victim's system, which could be exploited later for remote control of the machine.

MyDoom demonstrated the concept of multi-staged attacks: an initial breach, followed by the installation of a secondary payload that could be exploited at will. This marked a significant shift in the sophistication and potential harm of malware, prompting the cybersecurity industry to develop more advanced detection and remediation strategies, and pay greater attention to the removal of threats, not just their detection.

### Stuxnet (2010)

Stuxnet, a malicious computer worm discovered in 2010, marked a new era in cyber warfare. Unlike previous malware that primarily targeted consumer systems for monetary gain, Stuxnet was a state-sponsored weapon specifically designed to sabotage Iran's nuclear program. It achieved this by targeting programmable logic controllers (PLCs) used in industrial control systems. Stuxnet wasn't merely an infection; it was a precision-guided cyber-missile.

The implications of Stuxnet were far-reaching. It revealed the vulnerability of critical infrastructure to cyberattacks and highlighted the potential for cyber warfare between nations. This led to a shift in global cybersecurity strategies, with increased focus on securing critical infrastructure and a realization of the necessity for international cooperation in cybersecurity.

### Ukraine Power Grid Attack (2015)

The 2015 Ukraine power grid attack represents one of the first confirmed cases of a cyber attack leading to a significant disruption of critical infrastructure. On December 23, 2015, parts of Ukraine experienced a power outage after a cyber attack successfully compromised information systems of three energy distribution companies. Approximately 230,000 people were left without electricity for several hours.

The attackers used a spear-phishing email to gain access to the power companies' networks. After exploring the networks and learning how to manually control the breakers, they then launched a synchronized attack, opening circuit breakers at 30 substations and causing a widespread power outage.

Simultaneously, the attackers also conducted a telephone denial-of-service attack against the power companies' call centers, flooding them with fake calls to prevent customers from reporting the outage. The attackers had also made use of the KillDisk malware to wipe critical systems and delay the recovery process.

The Ukraine power grid attack was a wakeup call to the world on the vulnerability of critical infrastructure to cyber attacks. It showed how a well-coordinated cyber attack could lead to physical consequences, disrupting essential services and causing significant economic and social impact. The event led to an increased focus on securing industrial control systems and critical infrastructure against cyber threats, which is still a significant concern today.

### WannaCry (2017)

Our next stop, the WannaCry ransomware attack of 2017, stands as one of the most widespread and damaging cyberattacks in history. WannaCry utilized a vulnerability in Microsoft's Server Message Block (SMB) protocol, which was first exposed by the leaked EternalBlue exploit allegedly developed by the U.S. National Security Agency (NSA).

The WannaCry attack caused chaos globally, affecting hundreds of thousands of computers across various sectors, including healthcare, where the UK’s National Health Service was severely impacted. This ransomware attack underscored the global interconnectivity of cybersecurity, the risk of stockpiling cyber weapons, and the importance of regular system updates. It led to an increased emphasis on patch management within IT security practices and sparked ongoing discussions about the role of government agencies in cybersecurity.

### Equifax Breach (2017)

The Equifax breach is a seminal moment in the history of cybersecurity, highlighting the severe consequences of inadequate security measures in an era of big data. Equifax, one of the three largest consumer credit reporting agencies in the United States, announced in 2017 that a massive breach had exposed the personal data, including Social Security numbers and driver's license numbers, of nearly 147 million people.

The breach was the result of the company's failure to patch a known vulnerability in the Apache Struts web-application software, a popular framework for creating Java-based web applications. Attackers exploited the vulnerability to gain access to Equifax's network, where they roamed undetected for a staggering 76 days.

The consequences of the Equifax breach were vast and far-reaching. Besides the immediate impact on the individuals whose data was exposed, the breach led to regulatory fines, lawsuits, a Congressional investigation, and the departure of several high-ranking executives within Equifax, including the CEO.

More importantly, the Equifax breach served as a wake-up call to corporations worldwide, emphasizing the need for robust cybersecurity practices, particularly for companies handling sensitive personal data. It underscored the importance of timely patch management, proactive security measures, and the need for greater regulatory oversight in data security and privacy.

In a broader sense, the Equifax breach pushed the discussion of personal data security into the public spotlight. It has led to increased calls for improved data privacy laws and practices, and it has contributed to growing public concern about the security and privacy of personal data in the digital age. The role of corporations in safeguarding this data, especially in sectors such as finance and healthcare where sensitive information is often stored, has been a topic of increasing importance since the breach.

### Pegasus Spyware (2016 - Present)

The Pegasus spyware, developed by the Israeli cybersecurity firm NSO Group, represents a new generation of threats in the cybersecurity landscape. First discovered in 2016, Pegasus is a highly sophisticated piece of spyware that can be covertly installed on a victim's mobile phone, turning it into a surveillance device. The software is capable of remotely activating a phone's camera and microphone, reading emails and text messages, and tracking the user's location.

What sets Pegasus apart is its unprecedented level of sophistication and its intended use. While malware is often associated with cybercriminals seeking financial gain, Pegasus is marketed to governments and law enforcement agencies as a tool for tracking criminals and terrorists. However, investigations have revealed that the spyware has been used to target journalists, human rights activists, and political dissidents.

The emergence of Pegasus highlights the increasing complexity and sophistication of cybersecurity threats, particularly those aimed at individuals. The tools and tactics previously associated with nation-state actors are now being deployed in the private sector, making the lines between cybercrime, cyber warfare, and cyber surveillance increasingly blurry.

### AI-generated propaganda (2020-present)

As we approach the present, we encounter a new kind of cybersecurity threat: the use of artificial intelligence (AI) in cyberattacks. While AI has a wide array of applications in cybersecurity, largely positive, it has also been harnessed for malicious purposes. One such instance is the creation and dissemination of AI-generated propaganda by nation-states, particularly Russia and China.

These AI systems can generate realistic, persuasive content and disinformation campaigns, leading to widespread social unrest and divisiveness. This marks an evolution of cyber threats from the digital realm into influencing real-world events and people's perceptions. It has led to a renewed focus on the role of technology companies in content moderation, and the development of AI tools and techniques to detect and combat such AI-generated propaganda.

## Discussion Questions
1. What similarities and differences can you observe in the nature of cyber threats from the 1980s to the present?

2. Discuss the evolution of malware from simple computer viruses like Brain to sophisticated spyware like Pegasus. How has their purpose and impact changed over time?

3. In the case of the Stuxnet and Ukraine Power Grid attacks, physical systems were targeted. Discuss the risks that cyber threats pose to critical infrastructure and physical systems.

4. Discuss the role of Artificial Intelligence (AI) in cybersecurity, both as a tool for attackers and for defense. How does the possibility of AI-generated propaganda event highlight new challenges in this domain?

5. The Pegasus spyware represents a shift in the targeted use of malware, and has been used to target individual journalists, political dissedents, and ohters. Discuss the ethical implications of such targeted cyber attacks.

## Glossary

| Term | Definition |
| --- | --- |
| Cybersecurity | The practice of protecting computers, servers, mobile devices, electronic systems, networks, and data from digital attacks, damage, or unauthorized access. |
| CIA Triad | A model designed to guide policies for information security within an organization. Stands for Confidentiality, Integrity, and Availability. |
| Virus | A type of malicious software program ("malware") that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive. |
| Worm | A standalone malware that replicates itself in order to spread to other computers. It usually does not alter files but resides in active memory and duplicates itself. |
| Trojan | Malware that appears to perform a desirable function but in fact enables unauthorized access to the user's computer system. |
| Phishing | The fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication, typically via email scams. |
| Ransomware | A type of malicious software designed to block access to a computer system until a sum of money is paid. |
| DoS | Short for Denial of Service, it refers to a type of cyber attack that aims to make a machine or network resource unavailable by overwhelming it with traffic from multiple sources. |
| Least Privilege | The principle of allowing users or programs the minimal levels of access necessary to complete their functions.  |
| Defense in Depth | A strategy involving multiple layers of defense to resist attacks on the system's security. This can include physical, technical, and administrative controls. |
| Fail Securely | The design principle where, in case of system failure, the system prevents access rather than permitting access.  |
| Security Through Obscurity | A controversial principle that proposes that a system or data can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms.  |
| Symmetric Encryption | A type of encryption where the same key is used for encryption and decryption. |
| Asymmetric Encryption | An encryption system in which two mathematically related, but not identical, keys are used - a public key to encrypt the message and a corresponding private key to decrypt it. |
| Caesar Cipher | A substitution cipher that shifts letters in the plaintext a fixed number of positions down or up the alphabet. Named after Julius Caesar. |
| Frequency Analysis | Cryptanalysis technique studying the frequency of letters in a ciphertext. Often used to break simple substitution ciphers like the Caesar Cipher. |
| Firewall | A network security system controlling incoming and outgoing network traffic based on predetermined security rules, creating a barrier between a trusted internal network and untrusted external network. |
| VPN | Virtual Private Network, extends a private network across a public network, allowing secure data transfer as if the devices were directly connected to the private network. |
| NIST Cybersecurity Framework | A set of standards, guidelines, and best practices for managing cybersecurity risks. (1) Identify, (2) Protect, (3) Detect, (4) Respond, (5) Recover |
| Two-Factor Authentication | An additional layer of security requiring a username, password, and a piece of information unique to the user, providing an extra level of verification. |
| Brain Virus | The first computer virus for MS-DOS, a boot sector virus released in 1986. |
| Morris Worm | One of the first computer worms distributed via the Internet, created by Robert Tappan Morris in 1988, causing significant damage and monetary loss. |
| ILOVEYOU | A computer worm that attacked millions of Windows computers in May 2000 through an email message attachment labeled "ILOVEYOU". |
| myDoom | A fast-spreading email worm affecting Windows, first sighted in January 2004. |
| Stuxnet | A malicious computer worm uncovered in 2010, targeting SCADA systems, notably causing substantial damage to Iran's nuclear program. |
| WannCry | A ransomware attack in May 2017 that encrypted data on computers running the Microsoft Windows OS, demanding ransom payments in Bitcoin. It affected over 200,000 computers in 150 countries. |
| Equifax breach | A cyber-security breach at the American credit bureau Equifax in 2017, leading to the theft of personal data for approximately 147 million people. |
| Pegasus | Spyware installable on certain iOS and Android versions, discovered in 2016. Capable of reading text messages, tracking calls, collecting passwords, tracking location, and accessing the target device's microphone and camera. |