Information Technology and Ethics/Types of Security

Introduction edit

There are an abundance of security types, in this chapter will briefly cover the following types: physical, network, application, cloud, database, and social engineering.

Physical Security edit

Introduction to physical security edit

Let's start with physical security. Physical security is an extremely important defense that uses physical and tangible safeguards to protect assets. Specifically, physical security helps to defend against any harm and destruction of valuable property or possessions. Physical security can also help to protect individuals, knowledge, or data. They are an extremely necessary basic security that is usually always in place, and it is a building block in other securities as well.[1]

How is physical security implemented? edit

Different organizations will require different physical implementations depending on the organization’s layout. It is important to look into the risks to find out which physical security implementations are necessary. It is necessary for physical security to be approached by looking at the outer layers of physical security protection which look into the outside of the organization and the inner layers of physical security protection which look into inner environments.[2]

5 Levels of Physical Security edit

Physical security seems like a very easy concept to the regular human while in reality an intelligent and impartial assessment of a security system is much more difficult to come by because there is no universally accepted standards for security professional to base an assessment off of. The fact that this standard does not exist leaves individuals believing that the protection they have at the moment is a higher level that it truly is. Due to this confusion and lack of standards these 5 levels have been established.[1]

  • Level 1 Minimum Security
This system is designed to stop unauthorized exterior activity. Unauthorized exterior activity is an activity that is outside the scope of the security system which can be a simple breach all the way to an armed attack. This type of security usually consists of simple physical barriers such as doors and windows with regular locks. The perfect example of such security is the average American home.[1]
  • Level 2 Low-Level Security
This system also refers to a system designed to stop and also detect unauthorized exterior activity. After the level 1 security is put in place with simple physical barriers and locks it can be made stronger with other barriers. These barriers include reinforced doors, window bars, high-security locks, simple lighting over doors and windows, and a basic alarm system that is an unmonitored device on site that can detect intrusion providing a warning signal, while also sending notification to local law enforcement.[1]
  • Level 3 Medium Security
This system is designed to stop, detect, and assess most unauthorized exterior activity and some unauthorized interior activity. These activities can range on very wide spectrum from something as simple as burglary all the way to commit sabotage. When a system receives an upgrade to medium level the previous security level implications stay in place, but also receive an upgrade. The previous security measures are upgraded in order to have stop, detection, and assessment capabilities. In order to reach the medium security level it is necessary to have an advanced alarm system that warns a remote location that contains staff. The security system also needs to have a perimeter outside of the confines of the building that are secured by a high-security physical barrier. These barriers may include fences that are at least 6-8ft high with barbed wire on top, or can use a guard dog as well on the outside of the perimeter. The final security measure that must be met to reach medium security is that an unarmed security officer must be present with basic communication in order to be able to reach law enforcement. Some facilities that fall into this category include bonded warehouses, large industrial plants, large retail outlets, and National Guard armories.[1]
  • Level 4 High-Level Security
This system is designed to stop, detect, and assess most unauthorized exterior and interior activity. Once the security measures of the previous levels are met and incorporated into the system, high-level security is accomplished with the addition of a few other necessities. The first is state-of-the-art equipment to be installed this includes security surveillance system such as CCTV, a perimeter alarm system with high-security physical barriers, high-security lighting (LED) giving a 0.05 foot-candles of light around the perimeter, either armed or unarmed security officer that have been background checked and drug tested with the correct means of communication which includes phones, radio links to police, and duress alarms. The facility is also required to have controls that restrict access to the facilitate to anyone that is not authorized by using either access control or biometrics. There also needs to be a formal plan arranged with the local law enforcement to deal and respond to an incident if it was to occur. These security systems also need to be checked on a monthly basis as well as assessed and audited annually. Some facilities that fall into this category include certain prisons, pharmaceutical companies, electronics manufactures, and defense contractors.[1]
  • Level 5 Maximum Security
This system is designed to stop, detect, assess, and neutralize all unauthorized exterior and interior activity. All the previous level measures are implemented in the maximum security as well as two more requirements. The first thing being a sophisticated state-of-the-art alarm system. This alarm system needs to be strong enough that a single individual can not break into. The alarm system also needs to be remotely monitored 24/7 in one or more locations with a backup power source as well as access control or biometrics in order to access it all. The second is the maximum security facility that must have an on-site response team that has been thoroughly screened and have armed weapons experience. These individuals are armed 24/7 rotating shifts on-site dedicated to neutralizing or containing any threat that may take place against the facility until off-site law enforcement or assistance can arrive. This type of security is usually seen at nuclear facilities, federal prisons, military bases, foreign embassies, and government research sites.[1]

Types of physical security edit

There are many different types of physical security which can be implemented to protect assets. Each type of physical security has a different purpose to fulfill. Some examples of physical security use include EAC (access cards), barriers, surveillance and alarms.

  • EAC (Access Cards)
Access control is an important mechanism of physical security which controls specific access points through traffic flows throughout an area. Electronic access control (EAC) is a specific access control which uses a card reader. These card reader devices have a sensor which reads data on the card, changes the data into a code number, and then directs the data to a computer. The data has a person’s information which can allow access to be approved or rejected. EAC parts are made up of access cards and card readers. There are many different types of access cards which can include proximity cards (commonly used and uses passive circuits), magnetic cards (uses magnetic data that is encoded where individual swipes card through card reader and example is a magnetic stripe), smart cards (uses a chip with implanted microprocessor like a computer), and optical cards (uses a light spot pattern which is read by a source of light like infrared).[3]
  • Barriers
Barriers are physical in nature and can include types like walls, fences, and gates (2). Doors are also very necessary with locks on them to prevent intruders. There can be natural barriers as well which can include water, cliffs, or human made barriers which provide obstacles for the individual to deal with making getting in very difficult.[4]
  • Surveillance
Surveillance can be an extremely important physical security mechanism which can involve either a security guard or cameras. Important things to consider regarding how surveillance is implemented is high-risk sections, the planned use of surveillance (whether its for monitoring or intimidation), or if there is a need for hidden cameras, what kind of cameras should be implemented (wide or narrow view-points, amount of light, and solar-powered vs electric-powered), location to place cameras, how much recording is needed, and combination of security guard and cameras.[5]
  • Alarms
Alarms help to bring attention to issues that aren’t stopped by surveillance or barriers. They specifically provide extra detection and awareness. They can be either silent or audible. Audible alarms tend to be better since they can activate a loud alarm which brings to everyone’s attention that an alarm has been set off. Alarms can be part of both inner and outer areas, and they can provide a good balance to physical security levels[6].

Network Security edit

Introduction to Network Security edit

Network security is a term that describes tools and tactics implemented to prevent or protect unauthorized intrusion into your network.[7] In a much simpler term, network security helps keep unwanted people away from your network and sensitive information. Network security has become a necessary tool for companies and individual residents who are keen in keeping their data safe. As we are all familiar with hackers finding every loophole to gain access to one’s information, network security is critical in our daily lives and every precaution must be taken.

Why is Network Security Needed? edit

Effective network security is not only beneficial to keep data safe, it exists to help the reputation of different organizations, trust of its customers and continued operational ability. It is better to prevent intrusion rather than making amends after data has been leaked. Many customers are reluctant in sharing their data with companies and are ready to terminate their relationship with said business if there is as little as a rumor circulating that their network security has been breached. This can do serious damage to companies and they may never be able to reclaim their reputation, a good example is Yahoo, Myspace, etc.. Network security usually consists of three main controls. They include:[8]

  • Physical Network Security:
This is for keeping unauthorized people from the physical network component like routers.
  • Administrative Network security:
Works more to control behavior, who has access control and how much acces they have.
  • Technical Network Security:
This is to protect information that is stored and shared, and also prevent unauthorized personnel from coming in.

Types of Technical Network Security: edit

There are over 14 technical network security tools that can be used to protect your network security and there are some environments, for example, Universities can benefit from running multiple firewalls to provide different zones of security. All listed network security techniques have different approaches to keeping the network secure. They include[9] :

  • Anomaly Detection:
Just like the name, it detects anomalies in the network and alerts you immediately.
  • Email Security:
Phishing emails is one way hackers try to gain access to your network, email security helps detect dangerous emails and blocks you from sharing vital information.
  • Access Control:
Limits the amount of users that have access to specific parts of the network.
  • Anti-Malware software:
Identifies dangerous programs and prevents them from spreading.
  • Application Security:
It focuses on applications that may be relevant to your security and try to keep hackers from gaining entry.
  • Data Loss Prevention(DLS):
Humans are the weakest link in network security because we can literally give away important information. This security detects and blocks sensitive information.
  • Firewalls:
Help filter authorized and unauthorized authorities and helps with network traffic. Wireless Security:
  • Wireless Security:
It is much more vulnerable than traditional networks, so we need to make sure all precautions are taken.

There are many other network security that tackles different vulnerabilities. We should always remember that network security is crucial.

Application Security[10] edit

Introduction to Application Security edit

Application security comes into the play during the application level, in which the goal is to try to inject before any code is taken unauthorized. Security measures are taken into consideration during the development and after apps are ready to use. Application security can be seen in different forms like within hardware or within software. This involves creating, adding, and assessing security features inside applications, to interject and protect anything open and vulnerable.[11]

Application security is the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification. [12]

Why is it important: edit

As technology has developed and is still developing, more and more applications are connected to the network and the cloud. Through this development, there are more possibilities of having vulnerable areas to be approached through. With different testing methods, any flaws within the application level can be found and possibly prevented. Today, more people are trying to attack directly at apps rather than attacking in different areas like at the network.[13]

Application security is not a single technology; rather, it’s a set of best practices, functions, and/or features added to an organization’s software to help prevent and remediate threats from cyber attackers, data breaches, and other sources.[14]

Types of application security features: edit

  • Combined security features:
    • Authentication, this helps verify that the person logging on, for example, is who they state to be. Following authentication is authorization, this gives access based on the who the user is. Compares the user’s identity to the list with authorized users to see what the user has access to. Next comes encryption when the app is being used. To stop information from being seen, traffic is encrypted. This helps ensure that the data cannot be seen by others.[15]
  • Logging:
    • When accessing something, the time, who and what was accessed is recorded. If someone were to get unauthorized access to certain information, one could find out through this logged record.[16]
  • Access Controls:
    • Access control is a data security process that enables organizations to manage who is authorized to access corporate data and resources. Secure access control uses policies that verify users are who they claim to be and ensures appropriate control access levels are granted to users. [17]
  • Identity Access Management:
    • Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. [18]
  • Application security testing:
    • Tests are implemented to help ensure that all the security measures placed are correctly working.[19]

Mobile & Web application security: edit

One-way businesses implement application security in mobiles is by using a virtual private network. Through this, one can safely get remote access to company information. For web application security, firewalls are placed to check data packets and stop any possible damaging packets[20] .

Web application security is the process so securing web applications from malicious attacks such as unauthorized access and data theft. Any software programs that run on web servers, devices, etc., and are accessible by web browsers are web applications. These web applications can be anything like a shopping website, dating website, etc. Web applications are vulnerable to various attacks, such as cross-site scripting (XSS), SQL injection, etc. To ensure web application security, developers must take several measures, including input validation, authentication and authorization, encryption, security testing, and secure coding practices.

Mobile application security is the process so securing mobile applications from malicious attacks such as unauthorized access and data theft. Any software program that runs on a mobile device is known as a mobile application. Mobile applications can be a version of the software program that is used in web applications or can also be independent applications. Web applications are vulnerable to various attacks, such as code tampering and insecure data storage.

Application security controls & testing: edit

Controls are methods implemented to strengthen the code. To be able to have more control over the output when there is a surprising input. Testing is used to check that there are no vulnerabilities in any new software or any revised software. Some of the examples are fuzzing, security audit, and penetration testing.

  • Fuzzing:
    • One can test unexpected inputs to check whether there are any vulnerable holes, or any possible ways someone else can get unauthorized access.[21]
  • Encryption:
    • Encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information.
  • Firewall:
    • A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks.
  • Security Training:
    • The process of educating individuals and employees in offices about security risks and best practices to prevent security breaches is Security training. Security training can cover a wide range of topics, including how to recognize and respond to security threats, how to use security tools and software, how to create strong passwords, and how to protect sensitive information.
  • Security audit:
    • Checks to see if the application passes through the security criteria. When the application has all the set security criteria, the creators have to ensure that specific users get authorized access.[22]
  • Penetration testing:
    • Essentially this is putting a criminal hat on and testing the application. These tests are analyzed when a user is logged-in and logged-out, to rule out any possible openings. Penetration testing (or pen testing) is a security exercise where a cyber-security expert attempts to find and exploit vulnerabilities in a computer system. The purpose of this simulated attack is to identify any weak spots in a system’s defenses which attackers could take advantage of.

Embedded Security edit

Introduction to Embedded Security edit

Embedded security encompasses the design and implementation of the protection mechanisms and strategies used to secure embedded systems.[23] An embedded system refers to specially designed computer systems, hardware and software, that perform specific functions within larger electrical or mechanical systems. In practice, these devices have been applied across disciplines, from the internet-connected devices, dubbed the Internet of Things (IoT), to industrial control systems and medical equipment. Embedded security is responsible for maintaining the confidentiality, integrity, and availability of these systems and the information they interact with.

Why is Embedded Security important? edit

As embedded systems are further integrated into automotive, industrial, medical, and consumer systems, the security of these devices becomes increasingly important. By nature, embedded devices are often used to serve as safeguards, watchdogs, or even implement some of the core functionality for the systems they serve. From this perspective, the security of embedded systems is essential to safely and reliably operate the devices and systems that rely on them.[23] Embedded security describes the specific application of security in three primary contexts: hardware, firmware, and communication.[24]

Hardware Security edit

Hardware security maintains the physical protection of embedded systems. This ranges from the physical placement of an entire system to the physical properties of components in an embedded system[25]. Hardware-based encryption, cryptographically secure storage, and tamper-resistant designs are areas of interest.[26]

Firmware Security edit

Firmware security is responsible for ensuring the authenticity and integrity of firmware running on the device. Areas of interest include securing the boot and update processes, anti-firmware analysis, and protection against runtime vulnerability exploitation mechanisms.[25][27]

Communication Security edit

In this context, communication security refers to securing communication channels within and between embedded systems.[28] This typically refers to channels implemented in hardware on the device, but it may also describe channels established with external devices and resources. Encryption, authentication, and integrity checks are crucial to prevent unauthorized access do data in transit.[24]

Embedded Security Techniques edit

There are several embedded security techniques that help protect embedded systems and devices against modern threats and vulnerabilities. These techniques exist on a spectrum with one end representing the Root of Trust and Chain of Trust at the other. Root of Trust is used to categorize hardware and firmware technologies that establish a secure foundation for verifying the integrity of components within the system. Chain of Trust refers to the security measures that are used to maintain the trust and integrity established by the Root of Trust.

Hardware-based Encryption edit

  • Trusted Platform Modules (TPMs) and Hardware Security Modules (HSMs) are dedicated microcontrollers designed to perform cryptographic operations and protect sensitive information.[26] They store cryptographic keys securely and prevent firmware-level threats like ransomware attacks.

Tamper Detection and Protection edit

  • Secure Boot[25][26][27]
    • Secure Boot ensures that only signed and verified firmware executes during device startup, establishing the Root of Trust.
  • Secure Firmware Updates[25][26][27]
    • Embedded systems use digital signatures to verify the authenticity and integrity of firmware updates.

Secure Communication Protocols edit

Embedded systems use protocols like TLS to ensure that data transmitted between external devices or components of the system maintain the Chain of Trust.[28]

Cloud Security edit

Introduction to Cloud Security edit

Hackers have gained access to almost any technical device available. Even something as simple as surfing the web can provide hackers with people's personal information. Hackers used to harvest data from physical hard drives by installing a virus that opened a back door and sent the data directly to the hacker's server. Now they have a second option--to hack the cloud directly. Enterprises, small companies, and ordinary people have begun to store data in the cloud as a security precaution. What the customer or company does not realize is that information stored in the cloud is just as vulnerable to hacking as information stored on a hard disk. Cloud security refers to the safeguarding of cloud computing files, software, and infrastructures. Many facets of cloud protection (whether public, private or hybrid) are the same as they are with any on-premises IT architecture. Cloud computing is described by the European Network and Information Security Agency (ENISA) as “Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computing technologies.” [29]We can also describe it as the distribution of hosted resources over the Internet, including applications, hardware, and storage. Cloud computing has become practically ubiquitous among enterprises of all sizes, mostly as part of a hybrid/multi-cloud service architecture, due to the advantages of accelerated rollout, availability, low up-front costs, and scalability.

Why is cloud security different? edit

In the early 1990s, funds for cloud computing began to emerge. The fundamental concept behind cloud computing is to isolate a system's architecture and mechanisms from the software and resources that it provides. Clouds are built in such a manner that they can quickly scale, are always usable, and have low operating costs. Due to on-demand multi-tenancy of software, content, and hardware resources, this is possible. According to Peter Mell (NIST), Tim Grance (NIST) “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.” [30] Cloud computing allows enterprises to share computing and storage services with the goal of lowering computing costs. Furthermore, cloud storage allows people inside a cloud to share knowledge. Despite the benefits, data stored in the cloud is also vulnerable to theft and other security concerns.

Risks and Benefits edit

Cloud computing security issues can be divided into two categories: the provider issue and the client issue. In theory, cloud providers are more responsible for securing the transition from Infrastructure as a server (IaaS) to Software as a server (SaaS), while in the IaaS model, the customer bears more responsibility. Many businesses that produce and sell cloud storage software and services haven't given enough thought to the consequences of processing, storing, and viewing data in a decentralized and virtualized environment. Many cloud-based applications developers, in particular, fail to provide encryption. In other contexts, existing technical technologies simply do not enable developers to have real protection. On the other hand, the cloud user will simply be given responsibility for these data security policies in the IaaS model. With Platform as a server (PaaS), the cloud provider must use specific tools to track and protect access to the database supported. The material and data are the user's responsibility. However, by moving to cloud security, clients are able to reduce the cost and save money.Privacy and security are major concerns of cloud storage. Since customers' data and business logic are stored on distrusted cloud servers that are managed by the service operator. Privacy and security both prevent information disclosure, privacy-preservability is a stricter mode of confidentiality in certain ways. As a result, if cloud confidentiality is ever breached, privacy-preservability will be breached as well. To sum up, Cloud protection has two meanings, unlike the other security services: data privacy and computation privacy.

Security Concepts edit

The following concepts are important to secure data inside a cloud. [31]

1) Identification: This is the first part of gaining access to a cloud, the user establishes their identity.

2) Authentication: The system will test the user's identity and verifies that it is trustworthy.

3) Accountability: This determines the actions of the user so they can later be identified.

4)Authorization: It permits the user to get in and determines the number of privileges they will get.

5) Privacy: It establishes confidentiality and gives privacy protection to the user.

Security Options edit

According to IBM, security options include:[32]

  • Identity and access management (IAM): this type of service enforces policy driven protocols like monitoring and tracking who accesses the cloud. It creates digital identities for every user that can easily be restricted.
  • Data loss Prevention (DLP): this service gives tools like data encryption and remediation alerts as a preventative measure and protects both active and saved date.
  • Security information and event management (SIEM): provides automated threat monitoring by AI. It is able to detect, respond, and monitor all data.

Security Issues edit

Other issues regarding cloud usage [33]

  • Who owns the data inside a cloud?

Since using a cloud service requires the user to upload onto a service that a company provides, it is not always clear who is the prime owner of the data. Storage from cloud services is often outsourced to different vendors. This becomes complicated as international laws vary with national laws regarding their regulation of it.

  • Privacy

Keeping the data secure inside the cloud is a big challenge. This is an ethical issue that the cloud service provider must deal with. The amount of privacy and security depends on the delivery model. In SaaS models, users have to trust the provider to protect their data. In PaaS models, the coders in charge of building Application on top of the platform are given some security features they can implement.

  • Cloud Provider security

Providers must be able to give the following properties to the users: ‘integrity’, ‘confidentiality’, and ‘availability’. “Integrity of data assumes a confidence that the data has not been manipulated or deleted by unauthorized actors; confidentiality assumes data has not been revealed to unauthorized parties and availability assumes the data is intact and that users can use or recover it as needed.”[34] These three categories must always be maintained and supervised closely as a lack of attention can cause security problems. This creates and allows for data privacy to be maintained.

Database Security edit

Introduction to Database Security edit

The term database security refers to the process and techniques of protecting a database from unauthorized access, modification, and disclosure. It is important to keep databases safe from malicious attacks and unauthorizes access as it contains sensitive and confidential information.[35]

Types of Database Security edit

Database security is based upon three main constructs: privacy, protection from unauthorized access and integrity. Privacy refers to the ability to control access to databases and integrity refers to maintaining the accuracy of data stored in databases. It is important to incorporate all these three constructs to provide comprehensive protection. Main types of database security are as follows.[36]

  • Authentication: It refers to the process of verifying user credentials that are stored in a database.
  • Encryption: It is a security technique in which encryption algorithms translate plain text into ciphertexts of unreadable formats.
  • Auditing:  Auditing involves monitoring all activities in database, for example keeping track of who accessed the database, who made the changes in database and when were these changes made.
  • Backup and recovery: Backup and recovery refers to the process of restoring stolen or corrupted data. This technique involves keeping a secondary storage where you place a copy of your original files. If, by any chance, the primary storage gets hacked or loses data, the secondary storage can be used as a backup.

Threats and Challenges in Database Security edit

There are a number of significant threats and challenges facing organizations in their efforts to protect their databases.[37]

  • SQL Injection: A type of attack where the malicious code is injected in UI/UX i.e., front end of the website and transferred to back end. SQL injection can be used to steal sensitive information or gain unauthorized access to a system or network.
  • Physical Security: Database security begins with the physical security of a database, and it is important to give physical access to approved workers only. Limiting physical access to authorized and approved personnel can help reduce the risk of security breaches and thefts and protect sensitive information.
  • DoS Attack: DoS attack makes databases slow and inaccessible to all users. It is important to implement safety measures and precautions in place to detect and mitigate DoS attacks in order to ensure the availability and reliability of a database.
  • Unmanaged Sensitive Data: Organization keeps sensitive and confidential information in databases and if kept unattended or forgotten, can be exploited by hackers.
  • Excessive Database Privileges: Database users can misuse their rights so it is important to give only relevant rights to the relevant users.

We can categorize these threats into three main categories.[37]

  • External Threat: These attacks happen from outside the organization such as attacks from cyber criminals, black hat hackers, organized gang members. These attacks can include phishing attacks, malware, DoS attacks etc.
  • Internal Threat: These attacks happen from inside the organization such as attacks or data breaches caused by employees, contractors, or other trusted insiders. It is important to give access to only those users or people who has a task to do with the specific database.
  • Partner: These threats include third party organization or contractor who has contract with the developer or the main organization. It is important to share information with the partners but it is also essential to make sure that they follow proper guidelines and only authorized member are allowed to access the databases.

Connection to the Database edit

When a database has been created there needs to be data that routes to the database. Because data from the outside world is being routed to the database, it’s important to configure the connection to the database to protect it from unwanted intrusion. Some best practices are[35]:

  1. Disable remote access.
  2. Secure the MySQL server behind a firewall.
  3. Do not leave your ports wide open.
  4. Use IP addresses to restrict access to the database.
  5. Encrypt your connection to the server using SSH or SSL.

System Hardening and monitoring edit

When it comes to database hardening, it is the process of increasing the security to limit the amount of access and rights of the database, similar to OS hardening, so that attacks will find it harder to infiltrate in the database. Depending on the type of databases that one uses, they all have some form of methods to display tables, databases, and schemes. Every database system also has the ability to change and alter users that are on the database with different types of privileges. When it comes to database hardening, some of the few steps taken to increase the security is by hardening the privilege. Some of the best practice in doing so are:[38]

  1. Each user only has limited privileges and only has access to the databases it needs to run.
  2. Never use ALL TO … functions.
  3. Never use % for a hostname.
  4. Application user permissions should be restrictive as possible.
  5. Only allow super privileges to database accounts, and localhost.
  6. Never ever give users global privileges, except for root, backup user, monitoring user, replication user

Auditing edit

Auditing or monitoring is a database security protocol that aims to view the entire database and make an assessment on its status. Auditing helps look for any problems with it, that if problems are found it can be addressed and prevented. When it comes to the processes there are three steps[39]:

  • Planning and preparation phase :The step in which a detailed scanning of the entire infrastructure is conducted. Several interviews are done to assess the assets to find the scope in which the audit should be conducted on.
  • The auditing phase: This is the actual conducting of the audit where tools and assessment are conducted to test for potential vulnerability.
  • The reporting phase: After the auditing is completed, a debriefing of all of the vulnerabilities are reported. This can be done both orally and written. This is so that by identifying the vulnerability controls are taken place.

--Notes--

Security Against Social Engineering edit

Introduction to Social Engineering edit

Social engineering attacks can be described as psychological techniques aimed at tricking or deceiving an individual or entity into revealing information or doing something that is not in their best interest.[40] Social engineering attacks can take place across a plethora of mediums and don't require the targeting of any specific type of information or access. Attacks can take place via messaging platforms, email, phone or video calls, or even in person. Unlike other cybersecurity-related attacks, social engineering doesn't take advantage of a vulnerability in computer hardware or software but instead relies on human error and manipulation.[41]

For this reason, traditional defenses—like firewalls and anti-malware—can be useful in some aspects but won't be entirely sufficient as a defense against this type of attack. Social engineering is extremely prevalent, being utilized to some degree in an estimated 98% of cyberattacks.[42]

Principles of Social Engineering Attacks edit

Social engineering often utilizes a few principles that are featured in Influence: The Psychology of Persuasion by Robert Cialdini.[43]

  • Reciprocity: Attackers may initially offer something of little value to the user in an attempt to get them to reciprocate something back.
  • Scarcity: A proposition or offer can be made to appear "limited in time" to the user, prompting a more likely response.
  • Consistency: The account of a user that the target has already been talking to may be compromised by the threat actor. The target may feel more compelled to continue engaging with the account based on these previous interactions.
  • Social Proof: If others feel safe sharing information in a certain way, the user may tend to "go with the crowd."
  • Authority: Attackers could compromise the account of an authority figure or pose as a company the target user engages with, encouraging the user to more likely follow their instructions.
  • Liking: Attackers can feign a likable attitude, common interests and complements towards the target user—increasing the likelihood of their compliance.

Social Engineering Attack Types edit

As Mentioned in the [Principles of Social Engineering Attacks]"A malicious act of tricking a person into doing something by messing up his emotions and decision-making process."

Here is the List of Attack Types in Social engineering:

Phishing: This is a type of attack where the attacker sends an email or message that appears to be from a legitimate source, such as a bank or company, and asks the victim to provide sensitive information or click on a link that installs malware.[44]

  • URL Spoofing: This is a type of phishing attack where the attacker creates a fake website that looks similar to a legitimate one.[45]

Spear Phishing: This is a targeted phishing attack where the attacker researches the victim and creates a personalized message that is more likely to trick the victim into providing sensitive information or clicking on a malicious link.[46]

Vishing: This is a type of phishing attack that uses voice over IP (VoIP) to make phone calls to victims. The attacker may pretend to be a legitimate caller, such as a bank representative, and ask the victim to provide sensitive information.[47]

Tailgating: This is a physical social engineering attack where the attacker follows an authorized user into a secure area by acting as if they are authorized as well. The attacker may carry boxes or other items to appear as if they belong in the area and blend in with other employees.[48]

Impersonation: This is a social engineering attack where the attacker impersonates an authority figure, such as a police officer or security guard, to gain access to restricted areas or to intimidate the victim into complying with their requests.[49]

  • Authority Intimidation: In this attack, Attacker pretends to have authority over the victim and uses intimidation to coerce them into providing sensitive information or performing actions that may harm them or their organisation.[50]
  • Pretexting: This is a type of attack where the attacker poses as a trusted individual, such as a co-worker or IT support, and uses a convincing story or pretext to trick the victim into providing sensitive information or granting access to their system.[51]

USB Drops: This is a physical social engineering attack where the attacker leaves infected USB drives in public places, hoping that someone will pick them up and plug them into their computer.[52]

Watering Hole Attacks: This is a type of attack that targets a specific group of users by infecting a website that is frequently visited by that group. The attacker can gain access to the targeted group's information by infecting the website with malware[53]
(Pg.No: 30).

Reverse Social Engineering: This is a technique where the attacker poses as a victim and contacts the organization's IT department or security team to request information or access. By using this approach, the attacker may be able to bypass security measures by appearing to be a legitimate employee or customer.[54]

Honey Traps: This is a technique where an attacker sets up an attractive or tempting offer, such as a fake job opportunity or a romantic relationship, to entice the victim into sharing confidential information or performing a specific action.[55]
Quid Pro Quo: This is a social engineering attack where the attacker offers the victim something in exchange for sensitive information or access.[56]

Piggybacking: This is a physical social engineering attack where the attacker follows an authorized user into a secure area by pretending to be with that person.[57]

Elicitation: This is a technique where the attacker uses conversation and social skills to extract information from the victim without raising suspicion.[58]

Scareware: This is a type of attack where the attacker creates fake antivirus or security software that appears to detect malware on the victim's computer.[59]

Fake Wi-Fi Networks: This is a type of attack where the attacker creates a fake Wi-Fi network that appears to be legitimate. It is also know as Evil Twin Attack.[60]

Dumpster Diving: This is a physical social engineering attack where the attacker searches through the victim's garbage or recycling to find sensitive Information.[61]

Goals of Social Engineering Attacks edit

The general objectives of a malicious social engineer are similar to those of the normal employee. As an illustration, the more you know, the easier it might be to succeed. With one exception—ethics—a malicious social engineer may have some of the same common objectives as the normal individual.[62]

A sort of cyber-attack known as social engineering targets people or groups and uses deception to persuade them to provide sensitive information or take certain activities that are not in their best interests. Depending on the attacker's intentions, social engineering assaults can have a variety of purposes, but some typical ones include stealing confidential information, installing malware, gaining access without authorization, making money, or interfering with business operations.[63]Most assailants are ultimately motivated by a desire for financial gain. In order to redirect money to their own accounts, some attackers will target financial staff like accounts payable. In order to carry out fraudulent activities, they might also request credit card numbers or bank account details from employees.

Many attackers will look for any personal information they can find during larger attacks. Many of these attacks ask users to click a link to "confirm" data like current and past addresses, application passwords, or other details (which the attacker then tests against numerous services).

Even the victim's computational capabilities can be useful to the attacker. Phishing attacks may persuade a user to download or run malicious files instead of attempting to extract information from them. From there, the hacker can use the victim's computer to mine bitcoin, leverage the network's bandwidth to launch a denial-of-service attack against a second victim, or use the compromised machine as a stepping stone to increase his or her access to the network.[64]

Ethics

Ethics are the fundamental principles that determine what is right and wrong in a community. For instance, laws are created to punish a behavior if society as a whole deems it to be bad. Indeed, ethics is what distinguishes the normal person's financial objectives from those of the wicked social engineer, who seeks to gain financial or reputational advantage by stealing knowledge and using it in a non-ethical way.

Examples of Recent Attacks edit

Belgian Bank Whaling Attack

In 2016, a Belgian Bank known as Crelan, fell prey to a whaling attack and suffered a loss of more than $75.8 million. The attack involved a spear-phishing email sent to a senior executive or someone in the financial department, where the sender impersonates a business partner or an internal employee. The message urges the recipient to transfer money to a designated account to complete a critical business deal. The email uses authentic graphics and a similar domain name to trick the employees into making the transfer without verifying the request with someone inside the company. [65]


Classic Ether Wallet Hacked

In June 2017, the official web domain of Classic Ether Wallet, a client-side wallet system for the Ethereum Classic (ETC) cryptocurrency, was hijacked by an unknown hacker. The attacker managed to persuade the support staff at web hosting provider 1on1 to transfer control of the domain to them, instead of its rightful owner. As soon as the attacker gained control, they redirected the wallet's primary domain to their own server and changed transaction details, resulting in the transfer of funds to the hacker's accounts. The attacker appears to have stolen almost $300,000 worth of ETC funds from affected accounts, which were then transferred to multiple other accounts. [66]


UK Energy Company CEO Tricked by AI Phone Call

Attackers used AI speech synthesis software to mimic the voice of a chief executive and demand a transfer of $243,000 over the phone. The victim believed he was talking to his German-based boss and initiated the transfer. The transferred funds were sent to a Hungarian bank account and later moved to Mexico before being dispersed to various locations. It is unknown whether the criminals used bots to answer the victim's questions. [67] This is quite a unique case and a prime example of the kinds of clever ways attackers can use new AI technologies to take advantage of unsuspecting victims.


2020 Twitter Account Hijacking

In July 2020, the Twitter accounts of several celebrities and executives were compromised through a "phone spear phishing attack" targeted at a small number of employees. The attack gave the hackers access to Twitter's internal administrative systems, which they exploited to post Bitcoin scam messages. The company admitted that the incident was due to a loss of control of its internal systems to hackers who may have bribed, deceived, or coerced Twitter employees. [68]

The attackers targeted a few employees and pretended to be Twitter personnel while contacting them, taking advantage of the remote working conditions caused by the pandemic. They directed their victims to log in to a fake internal Twitter VPN, which was made to look like the real one using information obtained from public sources. To bypass two-factor authentication, the attackers entered stolen credentials into the real Twitter VPN portal and asked for the two-factor authentication code within seconds of the employees entering their information into the fake VPN. [69]


2021 Robinhood Data Breach

In 2021, Robinhood faced yet another security breach where it was revealed that an unauthorized third party had managed to access millions of its customers' data. Robinhood announced that an "unauthorized party" was able to socially engineer a customer support employee over the phone and gain access to some customer support systems. The company disclosed that the unauthorized party obtained a list of email addresses for roughly five million individuals, and full names for a separate group of two million people. Additionally, personal information such as name, date of birth, and zip code were exposed for approximately 310 individuals, while a small subset of about 10 customers had more detailed account information compromised. [70]


2022 Uber Data Breach

In September 2022, Uber was breached by a social engineering attack, where a hacker was able to deceive an employee into divulging their login credentials. The hacker gained entry into the company's internal systems by compromising an employee's Slack account. The individual responsible for the attack claimed to have posed as a corporate IT professional in a text message to the employee, convincing them to disclose a password that enabled the hacker to access Uber's systems. Despite Uber's multi-factor authentication (MFA) policy, the attacker persisted in sending multiple MFA requests to the employee until they were granted access and ultimately managed to compromise the system. This was not the first instance of data theft from Uber, as in 2016, hackers stole information from 57 million driver and rider accounts and demanded $100,000 from Uber in exchange for deleting their copy of the data. While Uber did pay the ransom, they kept the breach a secret for over a year. [71]

Preventative Steps Against Social Engineering Attacks edit

Certain steps can be taken to decrease the likelihood of a social engineering attack occurring. According to the US Cybersecurity and Infrastructure Security Agency (CISA), these steps include:[72]

  • Users should be suspicious of anyone asking them to reveal internal information, such as company data or information about other employees.
  • Verify the identity and authority of the person who is asking you for the aforementioned information.
  • Do not reveal financial information over email or telephone; Do not respond to emails or calls requesting this information.
  • Before clicking a link in an email please verify that it is real by hovering over it and checking that it matches the URL in the email.
  • Do not enter information on websites which are not secure, this can be identified by either checking for a padlock symbol on the website, and by verifying that the URL starts with HTTPS as opposed to HTTP.
  • Make use of anti-virus software, and other means of securing your network like firewalls, and email filters to catch attack attempts before they reach other users.
  • Implement security features like Multi-Factor Authentication (MFA) to provide an additional layer of security if internal logins or passwords are revealed.
  • Educate yourself and your fellow employees about the subject matter of social engineering. Someone who is aware of how these attacks are structured is more likely to recognize and avoid them.
  • Communicate with fellow co-workers to out potential attacks before they happen.
  • Implement a security policy that includes social engineering awareness, so that people in the company would know what steps to take if they suspect they have fallen victim to an attack.

References edit

  1. a b c d e f g Fennelly, L. J. (2016). Effective physical security. Butterworth-Heinemann.
  2. Fennelly, L. J. (2016). Effective physical security. Butterworth-Heinemann.
  3. Fennelly, L. J., & Perry, M (2016). Physical security: 150 things you should know.{{cite book}}: CS1 maint: uses authors parameter (link)
  4. Fennelly, L. J., & Perry, M (2016). Physical security: 150 things you should know.{{cite book}}: CS1 maint: uses authors parameter (link)
  5. Fennelly, L. J. (2016). Effective physical security. Butterworth-Heinemann.
  6. Fennelly, L. J. (2016). Effective physical security. Butterworth-Heinemann.
  7. Dan Daniels (June 13, 2019). "14 Network Security Tools and Techniques to Know". Gigamon.
  8. Cyber edu (2021). "What is Network Security?". ForcePoint. doi:5/28/2021. {{cite web}}: Check |doi= value (help)
  9. Dan Daniels (June 13, 2019). "14 Network Security Tools and Techniques to Know". Gigamon.
  10.  “Application Security”. VMware. Retrieved 26 April 2021.
  11. Edward Wang (2021). "Application Security". VMWare. Retrieved 5-28-2021. {{cite web}}: Check date values in: |accessdate= (help)
  12. "What is application security?". {{cite web}}: External link in |url-status= (help); Invalid |url-status=https://www.vmware.com/topics/glossary/content/application-security.html (help)
  13. Edward Wang (2021). "Application Security". VMWare. Retrieved 5-28-2021. {{cite web}}: Check date values in: |accessdate= (help)
  14. "What is Application Security? | Challenges & Benefits". Nutanix. Retrieved 2023-04-24.
  15. Edward Wang (2021). "Application Security". VMWare. Retrieved 5-28-2021. {{cite web}}: Check date values in: |accessdate= (help)
  16. Edward Wang (2021). "Application Security". VMWare. Retrieved 5-28-2021. {{cite web}}: Check date values in: |accessdate= (help)
  17. "What Is Access Control? - Network Cybersecurity Systems". Fortinet. Retrieved 2023-04-24.
  18. "What Is Identity and Access Management? Guide to IAM". Security. Retrieved 2023-04-24.
  19. Edward Wang (2021). "Application Security". VMWare. Retrieved 5-28-2021. {{cite web}}: Check date values in: |accessdate= (help)
  20. Edward Wang (2021). "Application Security". VMWare. Retrieved 5-28-2021. {{cite web}}: Check date values in: |accessdate= (help)
  21. Edward Wang (2021). "Application Security". VMWare. Retrieved 5-28-2021. {{cite web}}: Check date values in: |accessdate= (help)
  22. Edward Wang (2021). "Application Security". VMWare. Retrieved 5-28-2021. {{cite web}}: Check date values in: |accessdate= (help)
  23. a b S. Ravi (2004). Security in Embedded Systems: Design Challenges. ACM Transactions on Embedded Computing Systems. doi:10.1145/1015047.1015049.
  24. a b R. Sandhu (1994). Access control: Principle and practice. IEEE Communications Magazine. doi:10.1109/35.312842.
  25. a b c d J. Woudenberg (2021). The Hardware Hacking Handbook: Breaking Embedded Security With Hardware Attacks. No Starch Press.
  26. a b c d R. Anderson (2008). Security Engineering: A Guide to Building Dependable Distributed Systems (2 ed.). Wiley Publishing.
  27. a b c A. Sadeghi (2015). Security and privacy challenges in industrial internet of things. Proceedings of the 52nd Annual Design Automation Conference. doi:10.1145/2744769.2747942.
  28. a b A.S.K. Pathan (2006). Security in Wireless Sensor Networks: Issues and Challenges. International Conference Advanced Communication Technology. doi:10.1109/icact.2006.206151.
  29. ENISA (December 2012). [)https://resilience.enisa.europa.eu/cloud-security-and-resilience/publications/cloud-computing-benefits-risks-and-recommendations-for-information-security "Cloud Computing Benefits, risks and recommendations for information security"]. Heraklion. {{cite web}}: Check |url= value (help)
  30. Mell, P. & Grance, T. (September 2011). "The NIST Definition of Cloud Computing". NIST.{{cite web}}: CS1 maint: multiple names: authors list (link)
  31. Krutz, Ronald L. (2010). Cloud Security: A Comprehensive Guide to Secure Cloud Computing. Indianapolis, IN 46256: Wiley. p. 127. ISBN 978-0-470-58987-8.{{cite book}}: CS1 maint: location (link)
  32. "What is Cloud Security? Cloud Security Defined | IBM". www.ibm.com. Retrieved 2023-04-25.
  33. Murphy, Brid; Rocchi, Marta (2021), Lynn, Theo; Mooney, John G.; van der Werff, Lisa; Fox, Grace (eds.), "Ethics and Cloud Computing", Data Privacy and Trust in Cloud Computing: Building trust in the cloud through assurance and accountability, Cham: Springer International Publishing, pp. 105–128, doi:10.1007/978-3-030-54660-1_6#sec2, ISBN 978-3-030-54660-1, retrieved 2023-04-25
  34. Murphy, Brid; Rocchi, Marta (2021), Lynn, Theo; Mooney, John G.; van der Werff, Lisa; Fox, Grace (eds.), "Ethics and Cloud Computing", Data Privacy and Trust in Cloud Computing: Building trust in the cloud through assurance and accountability, Cham: Springer International Publishing, pp. 105–128, doi:10.1007/978-3-030-54660-1_6, ISBN 978-3-030-54660-1, retrieved 2023-04-25
  35. a b Basta, Alfred (2011-07-12). Database Security. Cengage. ISBN 9781435453906.
  36. Touhid (2021-07-25). "Different Types of Database Security in DBMS". Cyber Threat & Security Portal. Retrieved 2023-04-25.
  37. a b Mousa, Abdulazeez; Karabatak, Murat; Mustafa, Twana (2020-06). "Database Security Threats and Challenges". 2020 8th International Symposium on Digital Forensics and Security (ISDFS): 1–5. doi:10.1109/ISDFS49300.2020.9116436. {{cite journal}}: Check date values in: |date= (help)
  38. Alessandro Tanasi (2018). "MYSQL Server". Sphinx 1.7.4 & Alabaster 0.7.11. Retrieved 5-28-2021. {{cite web}}: Check date values in: |accessdate= (help)
  39. Basta, Alfred (2011-07-12). Database Security. Cengage. ISBN 9781435453906.
  40. Editor, CSRC Content. "social engineering - Glossary | CSRC". csrc.nist.gov. Retrieved 2023-04-24. {{cite web}}: |last= has generic name (help)
  41. "What is Social Engineering | Attack Techniques & Prevention Methods | Imperva". Learning Center. Retrieved 2023-04-25.
  42. Rock, Tracy (2021-04-08). "What is the real danger of social engineering? And, how to stop it". Invenio IT. Retrieved 2023-04-25.
  43. Cialdini, Robert (1984). Influence: The Psychology of Persuasion. Harper Business. ISBN 9780321011473.
  44. https://www.proofpoint.com/us/threat-reference/phishing
  45. https://nordvpn.com/blog/url-spoofing/
  46. https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing/
  47. https://www.proofpoint.com/us/threat-reference/vishing
  48. https://www.cybertalk.org/2021/11/12/tailgating-social-engineering-attacks-what-is-tailgating-and-why-it-matters/
  49. https://mysecurityawareness.com/article.php?article=384&title=what-is-impersonation-in-social-engineering#.ZEWvl-xBw1I
  50. https://blogs.getcertifiedgetahead.com/social-engineering-principles/
  51. https://www.ibm.com/topics/pretexting
  52. https://www.redteamsecure.com/blog/usb-drop-attacks-the-danger-of-lost-and-found-thumb-drives
  53. http://dx.doi.org/10.6028/NIST.SP.800-150
  54. https://doi.org/10.1007/978-3-642-22424-9_4
  55. https://www.itperfection.com/network-security/social-engineering-attacks-cybersecurity-cyber-attacks-network-security-baiting-diversion-theft-scareware-spear-phishing-quidpro-water-holing/
  56. https://www.itperfection.com/network-security/social-engineering-attacks-cybersecurity-cyber-attacks-network-security-baiting-diversion-theft-scareware-spear-phishing-quidpro-water-holing/
  57. https://powerdmarc.com/what-is-piggybacking/
  58. https://www.redteamsecure.com/blog/5-effective-social-engineering-elicitation-techniques
  59. https://www.fortinet.com/resources/cyberglossary/scareware#:~:text=Scareware%20Meaning,spread%20through%20spam%20email%20attacks.
  60. https://www.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
  61. https://www.techtarget.com/searchsecurity/definition/dumpster-diving
  62. "Typical Goals". Security Through Education. Retrieved 2023-04-24.
  63. Aures, Nick (2022-10-26). "Goals of Social Engineering". Sedara Security. Retrieved 2023-04-24.
  64. "Social engineering: the ultimate con". mysecurityawareness.com. Retrieved 2023-04-24.
  65. Cimpanu, Catalin (January 25, 2016). "Belgian Bank Loses €70 Million to Classic CEO Fraud Social Engineering Trick".
  66. Cimpanu, Catalin (July 2, 2017). "Classic Ether Wallet Hacked, Users Report Massive Losses".
  67. Stupp, Catherine (August 30, 2019). "Fraudsters Used AI to Mimic CEO's Voice in Unusual Cybercrime Case".
  68. Goodin, Dan (July 30, 2020). "Twitter hackers used "phone spear phishing" in mass account takeover".
  69. Goodin, Dan (March 17, 2021). "I was a teenage Twitter hacker. Graham Ivan Clark gets 3-year sentence".
  70. "Robinhood Announces Data Security Incident (Update)". Robinhood Blog. November 16, 2021.
  71. Conger, Kate (September 15, 2022). "Uber Investigating Breach of Its Computer Systems".
  72. "Avoiding Social Engineering and Phishing Attacks | CISA". www.cisa.gov. Retrieved 2023-04-24.