5.2 Security Technologies and Solutions

Firewalls

Firewalls serve an important role in network security, functioning as the gatekeepers that police the flow of data coming in and out of a network. Acting as the first line of defense, they are necessary in preventing potential cyber threats from external sources. The versatility of modern firewalls allows for a comprehensive approach to managing data flow. Advanced versions meticulously examine the content within a data packet, which is a small unit of data transmitted over a network, and differentiate various forms of web traffic such as file transfers, browser activity, and applications accessing the internet, thus facilitating the implementation of nuanced security policies.

For instance, firewalls can authorize access to applications that have undergone rigorous vetting processes and are deemed safe while promptly blocking others that pose a potential security risk. These applications vary, ranging from video games seeking updates to activity in the background while browsing the internet.

Protocols

A protocol is a fundamental rule or procedure that governs communication between devices in a network. Protocols ensure that data are transmitted accurately, reliably, and securely by defining how data are packaged, transmitted, and received. Protocols operate at various layers of the network stack, addressing different aspects of communication. By standardizing communication processes, protocols enable interoperability between different systems and devices, making seamless and efficient digital communication possible. Think of them as rules that computers must obey, like how drivers must obey traffic laws. Common protocols include HTTP, HTTPS, VPN, and S/MIME.

Hypertext Transfer Protocol (HTTP) and its secure alternative HTTP secure (HTTPS) form the foundation of web communications (Table 5.2). Hypertext Transfer Protocol (HTTP) is proficient at transmitting hypertext over the internet, and Hypertext Transfer Protocol Secure (HTTPS) adds a secure, encrypted layer to HTTP via SSL/TLS protocols. To understand how HTTP works, imagine that you make a request for a web page through a browser. This happens when you click on a link or enter an address in the search bar of your browser, initiating an HTTP request. This request is sent to a web server, which then responds by supplying the requested information in the form of hypertext. This hypertext is what your browser interprets and displays as a web page. The process is remarkably fast, enabling standardized and consistent viewing of websites across different browsers. Encrypting a connection ensures that the data in transit is secure. For ISRM professionals, understanding the importance of HTTPS over HTTP is essential, especially when dealing with sensitive information.

Virtual private networks (VPNs) serve as a proxy for internet communication by establishing a private encrypted connection or tunnel that makes it difficult for attackers to breach. Various protocols such as Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and OpenVPN are used for different security and speed requirements. PPTP is fast but less secure, whereas OpenVPN offers a balance of speed and security. L2TP usually operates with IPsec for added security.

A Secure/Multipurpose Internet Mail Extension (S/MIME) is a standard for public key encryption and signing of MIME data. It is frequently used for securing email messages. S/MIME allows for cryptographic security services such as authentication and message integrity checks, ensuring that both the sender and the information remain uncompromised.

Intrusion Detection and Prevention Systems

In network security, an intrusion detection and prevention system (IDPS) monitors networks for malicious activity or policy violations. This is vital for keeping information secure. Think of protocols as a set of rules that allow machines to communicate smoothly. IDPSs, on the other hand, are specialized hardware and software tools that monitor network traffic to detect and prevent security breaches. These systems come in various forms and can be deployed in different ways to best protect against potential threats. By actively monitoring communications, IDPSs help prevent security incidents before they can cause harm. Signature-based IDPSs are designed to detect known threats by searching for specific patterns, such as malware signatures. Anomaly-based systems, on the other hand, focus on identifying abnormal patterns in data flow or behavior that might signify a security threat. Both have their own advantages and limitations; signature-based systems are highly effective against known threats but can miss new, previously unseen threats, while anomaly-based systems can detect novel threats but are prone to false positives.

Network-based IDPSs are used to monitor and analyze network traffic to protect an entire network from threats, whereas host-based systems are installed on individual devices and protect against unauthorized data manipulation or software vulnerabilities specific to those devices. These systems often rely on signature-based detection methods along with anomaly-based methods that look for unusual patterns in network traffic that could be harmful.

Monitoring Tools

The foundation of an effective information security strategy begins with simple and effective monitoring tools, such as log files, alarms, and keyloggers. Although these measures might appear basic, their importance cannot be overstated, especially when it comes to instilling a sense of digital trust.

A log file is a file generated by security applications that contains event information that aids in determining the status and health of a network. These are invaluable for diagnostics, troubleshooting, and security audits. An alarm is a protection device often installed on equipment to notify staff in the event of tampering or breach. It serves as a real-time alert system that notifies administrators of potential security threats. These are usually triggered by predefined conditions set within the IDPS or other security software. A keylogger is a tool or technology often used maliciously to capture keystrokes on a computer to obtain sensitive information such as passwords. Although they are often associated with malicious activities, legitimate versions exist for monitoring and auditing purposes. However, these tools must be managed carefully to ensure they do not compromise the very security they are meant to uphold.

In addition, the following tools are also used for monitoring network security:

• A packet sniffer, also known as a network analyzer or protocol analyzer, is a tool that captures and analyzes network traffic. It intercepts data packets flowing across a network, allowing for examination of the data within these packets, including their source, destination, and content. Packet sniffers can capture data packets in “promiscuous mode,” meaning they can see all traffic on the network, not just traffic intended for the sniffing device. For example, Wireshark is a popular open-source packet analyzer that allows capture and analysis of network traffic.
• A protocol analyzer is a tool that examines network communication protocols to understand how data are exchanged between devices and applications on a network. Protocol analyzers capture and analyze data packets, decode them based on the protocol used, and provide insights into the communication process. They can identify errors, performance bottlenecks, and security vulnerabilities related to specific protocols. Protocol analyzers and packet sniffers are often used interchangeably, as they both involve capturing and analyzing network traffic. However, protocol analyzers focus more on understanding the communication protocols and analyzing the data within the context of those protocols.
• A security information and event management (SIEM) system is a security solution that collects, analyzes, and correlates security data from different sources to detect and respond to security threats in real time. SIEM systems gather logs, events, and alerts from various security tools and network devices, and then use advanced analytics to identify suspicious activity, potential vulnerabilities, and security incidents. SIEM helps organizations improve threat detection, incident response, security compliance, and overall security posture.

Best Practices for Network Threat Mitigation

In the complex domain of information security, best practices serve as guiding principles that are universally applicable across various sectors and organizational structures. They are the reliable methods that provide consistent security outcomes and contribute to the establishment of digital trust. Best practices in the information security field include the following:

• multi factor authentication (MFA), which adds an additional layer, or layers, of security, ensuring that even if one factor is compromised, unauthorized access is still restricted
• regular updates and patch management, the routine process of updating software to address security vulnerabilities, are ongoing, proactive measures that attempt to close the gap through which cyberattackers can infiltrate systems
• zero trust, or “never trust, always verify,” a cybersecurity model where access to resources is granted based on strict verification and continuous authentication, rather than assuming trust based on network location or device ownership
• defense in depth, a cybersecurity strategy that employs multiple layers of security controls to protect against attacks, so that if one layer fails, others will still be in place to prevent a breach
• vendor diversity, the practice of using multiple vendors for different security products and services instead of relying on a single vendor to mitigate risks associated with vendor lock-in, reduce security vulnerabilities, and improve overall security posture
• security training and awareness programs, which educate employees about the importance of information security, the role they play in safeguarding organizational assets, and how to recognize phishing attempts, maintain password integrity, and ensure secure data transmission

The human element is often regarded as the weakest link in the security chain. By adopting these best practices, information security and risk management professionals not only enhance an organization’s resilience against internal and external cyber threats, they also contribute positively to building digital trust, thereby enabling business to grow and thrive in an increasingly interconnected world.

Types of Threats

As the internet has gathered more users over the last few decades, cyberattacks have significantly increased. These attacks vary greatly, consisting of password attacks, phishing attempts, Trojan viruses, malware, and ransomware that holds users’ sensitive files hostage for ransom payment. Understanding these attacks and how to prevent them is key to information security.

As the most fundamental of access controls, passwords are a frequent target of malicious actors. Two primary types of password attacks exploit weaknesses in password security: brute-force attacks and dictionary attacks. In a brute-force attack, an attacker systematically checks all password or encryption key possibilities until the correct one is found. In contrast, a dictionary attack uses a precompiled list of likely passwords. Imagine trying to crack a padlock with four digits, each ranging from 0 to 9. If you don’t have any hints, you’d have to try every possible combination, which adds up to 10,000 different permutations (10⁴), which is a lot of guessing.

Now, consider a dictionary attack. Instead of trying every single combination, a dictionary attack gives you a list of likely combinations based on common patterns or known sequences. This way, you might find the correct code faster. To guard against both types of attacks, organizations implement stringent password policies that encourage complex combinations, and they use MFA.

Phishing attacks aim to trick individuals into revealing sensitive information. The attacker often masquerades as a trustworthy entity, employing emails or messages (Figure 5.6) that prompt users to enter passwords or other confidential data. Implementing robust email filtering technology and educating users about the elements of phishing schemes are critical components of a well-rounded defense strategy.

Figure 5.6 Many phishing attempts will appear to originate from a trusted source. However, on careful inspection, one can notice several discrepancies that discredit the attempt. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

By weaving these basic security measures into an integrated strategy, ISRM professionals can better arm organizations against a range of threats. Simple security measures serve both as a first line of defense and as foundational elements that support more complex security protocols. This layered approach to security helps maintain digital trust, fostering an environment where businesses can operate with greater confidence in the digital realm.

Among the most frequently encountered security threats are malware variants such as viruses, worms, and Trojans (Figure 5.7). A virus attaches itself to clean files and propagates to other files and programs. A worm is a stand-alone software program that spreads without requiring a host program. A Trojan is a program that conceals itself as a safe program but often carries many other different types of malicious payloads.

Figure 5.7 While not an exhaustive list of malware, these are the most common types. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

Malware such as Trojan horses and ransomware represent more sophisticated external threats. Trojans trick users into willingly downloading malicious software that is often disguised as a legitimate program. The software provides attackers unauthorized access to systems. Advanced endpoint security solutions coupled with regular updates and patches can offer significant protection against these types of malware.

In recent years, more insidious forms of malware such as fileless malware have emerged. Unlike traditional malware, which relies on files stored on the hard disk, fileless malware exploits in-memory processes to conduct its nefarious activities. By leveraging legitimate system tools such as PowerShell or Windows Management Instrumentation, fileless malware conducts operations entirely within the device's random access memory (RAM), leaving little to no footprint on the hard disk. This makes it significantly more challenging for traditional antivirus solutions to detect and eliminate. For a better understanding of how fileless malware works, look at how Figure 5.8 follows a user’s click in a spam email.

Figure 5.8 This example demonstrates how fileless malware operates. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

In contrast to software-based threats, which target vulnerabilities in computer systems, social engineering attacks such as phishing and pretexting leverage human vulnerabilities. A social engineering attack includes deceptive tactics used to manipulate individuals into divulging confidential information, exemplified by phishing and pretexting. Phishing usually involves sending deceptive emails to trick employees into revealing sensitive information. On the other hand, pretexting involves creating a fabricated scenario to obtain private data. Despite the sophistication of technical countermeasures, the human factor remains a vulnerability, making these types of attacks especially harmful to the establishment of digital trust.

An insider threat is a risk posed by individuals within an organization who have access to sensitive information and systems; they warrant special attention because employees or contractors with insider information can perpetrate or facilitate attacks that may bypass conventional security measures. This “inside advantage” makes the threat more complex, as mitigating such threats requires a blend of technical controls and organizational policies.¹⁰ Some of these policies include actions such as mandatory vacations to prevent fraud, role-based access controls that limit employee access to sensitive information, security awareness training, and regular audits.

A distributed denial-of-service (DDoS) is an attack that uses multiple computers or servers to overwhelm a network, resulting in loss of usability. These pose a unique threat: unlike other attacks that seek to gain unauthorized access or retrieve sensitive information, DDoS attacks aim to incapacitate the target’s operations. The immediate impact is not just operational disruption, but also a severe degradation of digital trust among stakeholders.

Vulnerabilities

One of the most well-known software vulnerabilities is the buffer overflow, a condition where an application writes more data to a buffer than it can hold. This results in data corruption and could allow an attacker to execute arbitrary code. Another common vulnerability is Structured Query Language (SQL) injection, which occurs when attackers insert or manipulate SQL queries in an input field, allowing them to gain unauthorized access to a database. This kind of attack can lead to data leaks, loss of data integrity, and other security issues.

Attacks on firmware (hardware) are increasingly prevalent. These are more difficult to detect as they target the device at the BIOS or firmware level. This also makes it harder to remove the malware once in the system. Physical tampering, while straightforward, is another hardware vulnerability. Unauthorized physical access to hardware can result in the installation of keyloggers or data extraction.

Although cyber threats often originate from the application of sophisticated hacking techniques, it is not uncommon that the root cause of a breach can be traced back to a simple configuration error. The T-Mobile data breach of 2023, where a third of its customer base had private information exposed, shows what can occur when application programming interface (API) configurations are not sufficiently secured.¹¹ An API is a set of protocols, tools, and definitions that enable different software applications to communicate and interact with each other, allowing for the exchange of data and functionality. In this breach, insecure APIs allowed threat actors to access sensitive customer data, impacting not just the affected individuals, but also T-Mobile’s reputation. As more companies transition their services to the cloud, the risk posed by insecure API configurations is escalating.

Countermeasures for Threats

Countermeasures to mitigate cybersecurity threats involve a diverse set of tools and approaches. They often need to be tailored to the specific types of threats and vulnerabilities that an organization faces, but some universally applicable solutions have proven effective across multiple sectors.

• Antivirus and anti-malware software: The most basic but critical line of defense is antivirus and anti-malware software. These programs provide real-time protection against known threats and offer heuristic analysis to detect previously unknown forms of malware.
• Employee training and awareness: Human error remains one of the most significant vulnerabilities in any organization. Phishing simulations and awareness training can drastically reduce the likelihood of an employee inadvertently compromising security. A 2024 study has shown that a combination of phishing awareness programs and phishing testing programs can significantly reduce the click-through rate on phishing emails.¹²
• Intrusion detection systems: An intrusion detection and prevention system is vital to monitoring network behavior for unusual or suspicious activity.
• Access control policies: One method of access control, role-based access control (RBAC), bases data access on a person’s role in the organization, giving each employee the minimum level of access they need to perform their job functions. This requires an organization to maintain a complete list of data elements combined with a list of viewable roles and attributes. For example, a health-care organization can successfully thwart an internal threat by limiting access to patient records to only those employees who require it for their job duties. Given the complexity and ever-evolving nature of cyber threats, these countermeasures serve as foundational elements in the continuous effort to uphold digital trust.
• Regular software patching: One of the most effective ways to mitigate vulnerabilities is through timely software patching. In 2017, the WannaCry ransomware attack exploited a vulnerability in older Windows systems. Microsoft had issued a patch months before, but because many organizations had not updated their systems, this led to widespread damage.¹³
• Physical security measures: Physical intrusion can bypass the most sophisticated digital security measures. One type of social engineering known as tailgating is a good example of this. Tailgating is the act of following someone very closely as they enter a secured building. This enables the attacker to enter the facility without having to use credentials such as an ID badge. Once inside, the attacker has access to critical infrastructure and can cause a data breach or other damage. Strict controls such as mantraps, which prevent more than one person from entering a facility simultaneously, help to mitigate this threat.

Ethical Hacking

The process of attempting to break into an organization’s computer systems, network, or applications with permission to identify vulnerabilities is called ethical hacking. It has gained considerable attention as a much-needed practice within the cybersecurity field. While the goals of ethical hackers align with those of cybersecurity experts in identifying vulnerabilities, the methods employed can resemble those of malicious hackers. This raises questions regarding the ethical and legal boundaries that distinguish ethical hacking from unauthorized, illegal activities.

The concept of consent is fundamental in ethical hacking. Unlike malicious actors, ethical hackers operate with explicit permission from the organization that owns the system. This consent is often given under a legal contract that outlines the extent of the testing, the systems that can be assessed, and the methods that can be used. Consent provides the ethical and legal basis for the hacking activities, turning what could otherwise be considered an illegal breach into an accepted practice.

One example that illustrates the gray area in ethical hacking is a 2019 case involving a cybersecurity firm. Two of its ethical hackers were arrested in Iowa while conducting a physical security assessment of a courthouse. Despite their having a contract that permitted them to perform physical intrusion testing, the authorities arrested them, and the hackers faced criminal charges. This was particularly surprising because the cybersecurity company had been hired by Iowa’s judicial branch to conduct the assessment.¹⁴

This incident highlighted the potential ambiguity and legal risks involved in ethical hacking, even when it’s conducted under a contract. It sparked an extensive debate in the cybersecurity community about the legal safeguards needed for ethical hackers. The charges against the two ethical hackers were eventually dropped, but not without the individuals and the firm suffering reputational damage. The case became a watershed moment for ethical hacking, urging the community, lawmakers, and organizations to be more explicit in contracts and to establish clearer legal guidelines.

This case serves as reminder that ethical hacking is a field still very much in the process of defining its legal and ethical contours. There is a clear need for explicit and transparent guidelines for ethical hackers and legislators, and they need to maintain an ongoing dialogue to build a more robust legal framework.

Risk Management Approaches

Risk assessments are important for identifying vulnerabilities and determining how they impact organizational objectives. These assessments can be either quantitative or qualitative in nature (Table 5.3).

Before organizations can assess risks, they should try to determine two factors: their appetite for it and their level of tolerance. A risk appetite refers to the level of risk an organization is willing to accept in pursuit of its ambitions or goals and is more qualitative in nature. It is a strategic outlook set by top management and influences how resources for security measures are allocated. Unlike risk appetite, risk tolerance is the number of unfavorable outcomes an organization is willing to accept while pursuing goals and other objectives. It is more operational and quantitative than risk appetite, using statistical probability to identify potential risk outcomes. It defines the boundaries of risk variations that are acceptable during the execution of specific projects or processes. In a cybersecurity setting, addressing risk tolerance could include prioritization strategies on how resources are allocated on a network, the network credentials of employees, and budget allocation for IT management. One example of this is a company that allows their ethical hackers to monitor malicious and dangerous sites to identify potential threats. While this is a proactive approach to identifying new threats, monitoring outside threats does not come with the same explicit permission an ethical hacker would have to penetrate the organization’s systems. The hacker would need to be especially careful not to violate the site’s terms of service or acceptable use policies.

Frameworks for Risk Management

In the world of information security, frameworks play a very important role in managing and controlling risks. A framework is a structured set of guidelines and best practices that help an organization to implement, manage, and maintain security protocols. There are many frameworks to guide risk management practices. One recognized model is NIST’s Cybersecurity Framework. The NIST framework is widely adopted due to its user-friendly nature and applicability across many sectors. Moreover, it aligns well with other standards and is scalable to the size of the industry. The NIST framework is divided into five core functions (Figure 5.9).

Figure 5.9 The five steps of the NIST process for risk management are to identify, protect, detect, respond, and recover. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

The NIST framework provides a flexible and cost-effective approach to improving cybersecurity across industries. It is designed to be adaptable to organizations of all sizes and is widely used to strengthen cyber defenses.

Building a Culture of Security

As you’ve learned, human error or negligence often poses a significant information security risk. Implementing technical solutions is only part of the equation; the other part lies in fostering a strong security culture within an organization. Training programs and regular awareness sessions can provide employees with the necessary skills and knowledge they need to serve as the organization’s first line of defense. Training can help them recognize phishing attempts, use strong passwords, and follow security best practices. Educating staff on proper behavior is key to reducing the risk of human error and preventing security breaches.

Legal Protections Afforded to Employees and Users

There are legal guidelines in place that affect every stakeholder in an organization to protect them from harm. Understanding these protections is essential for organizations to protect their users, human capital, and assets. Increasingly, employees who report cybersecurity lapses are protected by whistleblower laws. This protection introduces an additional layer of legal complexity for organizations. Disciplinary actions against employees who report cybersecurity issues can lead to legal repercussions, such as lawsuits and regulatory action. One way to avoid such situations is to emphasize the need for a robust internal reporting and response mechanism.

User Agreements and Legal Recourse

End-user license agreements (EULAs) and terms of service (ToS) often contain clauses related to data security and privacy. However, these agreements are coming under increasing scrutiny for being “contracts of adhesion,” giving consumers little negotiating power. In the context of cybersecurity, these agreements frequently encompass clauses specifically related to data security and privacy, outlining the responsibilities of service providers in protecting user data and detailing the measures taken to prevent data breaches and cyberattacks.

As cybersecurity incidents become more prevalent, courts are beginning to scrutinize these agreements more closely, particularly assessing whether they provide adequate protection to users against cybersecurity threats. This shift in legal perspective is significant as it could lead to more stringent requirements for cybersecurity measures in user agreements, offering enhanced legal recourse to consumers in cases of lax cybersecurity practices. The evolving legal landscape around EULAs and ToS underscores the need for robust cybersecurity measures and fair user agreements to maintain digital trust and legal compliance.

Regional Laws, Intellectual Property Rights, and Consequences

Regional laws and their implications can serve as critical indicators of how various jurisdictions respond to the challenges posed by cybersecurity and data protection. In the United States, for instance, the California Consumer Privacy Act (CCPA) serves as a legislative example that is often considered to be the most stringent data protection law in the country. Not only does it allow Californians to understand what personal data are being collected about them, it also gives them the ability to deny the sale of their data.¹⁵

One of the most challenging aspects of cybersecurity law is the notion of jurisdiction in cyberspace. An organization based in one country may store data or have data centers in another. This poses questions about which laws apply and how they can be enforced. For instance, a European company with U.S.-based clients will need to consider both GDPR and any relevant U.S. laws.

Navigating jurisdictional conflicts can be quite complex for organizations. To handle these challenges effectively, it is essential to have a solid grasp of international law as it applies to cyberspace. This knowledge is becoming increasingly important as businesses expand globally, each country bringing its own set of regulations and requirements. Staying current with these diverse legal landscapes is not just good practice, it is necessary for maintaining compliance and ethical standards in today’s digital world. GPDR and laws like it have had a major impact on how companies respond to takedown requests for data and how they protect data in storage and transit. Failure to comply with these regulations has resulted in substantial fines.

Intellectual property rights, particularly copyright laws, are a crucial element in the digital domain. These laws grant the creators of original works exclusive rights to their intellectual property, allowing them to control the distribution, modification, and public performance of their creations. In cybersecurity, this can include software code, databases, and even certain types of algorithms, beyond the more traditional forms of media such as text, images, and music.

Copyright infringement in the digital age has developed into an important topic due to the ease of data replication and dissemination. Whether it is pirated software, illegal downloading of copyrighted music or movies, or unauthorized distribution of proprietary information, infringement can have a significant financial impact for an organization that relies heavily on copyrighted material for their business operations. They can lose substantial revenue, which could, in turn, affect their ability to innovate and compete. The legal consequences for infringement can range from fines to imprisonment.

Moreover, copyright infringement can result in a cascade of legal disputes that may involve multiple jurisdictions, especially if the data are stored or transmitted across borders. This complexity can strain resources as companies are forced to engage in lengthy and costly legal battles. For cybersecurity professionals, understanding the subtleties of copyright laws and their enforcement mechanisms is essential not just for risk mitigation, but also for ensuring ethical conduct in an organization’s digital operations. This underscores the need for a robust copyright protection strategy as a part of an organization’s overall cybersecurity posture.

In addition to copyright infringement, organizations face substantial legal consequences for failing to protect intellectual property (IP). Laws protecting intellectual property, such as patents, copyrights, and trade secrets, can be leveraged to file lawsuits against organizations that fail to protect these assets adequately. The legal ramifications can include both civil and criminal penalties, such as fines and, in extreme cases, imprisonment for key decision-makers within the organization.

Gaining unlawful access to computer systems can lead to criminal charges, often categorized under statutes like the Computer Fraud and Abuse Act (CFAA) in the United States. Such charges can result in imprisonment and hefty fines for individuals. The key element in such cases is the concept of “unauthorized access,” which covers activities ranging from hacking into networks to merely exceeding the limits of authorized access.