Step 1: Define the OS
The audience for your security assessment report (SAR) is the leadership of your company, which is made up of technical and nontechnical staff. Some of your audience will be unfamiliar with operating systems. Therefore, you will begin your report with a brief explanation of OS fundamentals and the types of information systems.
Click to read the following resources that provide information you need to know before writing a thorough and accurate OS explanation:
·
operating systems fundamentals
·
information system architecture
·
cloud computing
·
web architecture
After reviewing those resources, begin drafting the OS overview to do the following:
1. Explain the user’s role in an OS.
2. Explain the differences between kernel applications of the OS and the applications installed by an organization or user.
3. Describe the embedded OS.
4. Describe how the systems fit in the overall information system architecture, of which cloud computing is an emerging, distributed computing network architecture.
Include a brief definition of operating systems and information systems in your SAR.
STEP 2: Review OS Vulnerabilities
You just summarized operating systems and information systems for leadership. In your mind, you can already hear leadership saying, “So what?” The company’s leaders are not well versed in operating systems or in the threats and vulnerabilities in them, so you decide to include in your SAR an explanation of advantages and disadvantages of the different operating systems and their known vulnerabilities.
Prepare by first reviewing the different types of vulnerabilities and intrusions explained in these resources:
·
Windows vulnerabilities
·
Linux vulnerabilities
·
Mac OS vulnerabilities
·
SQL PL/SQL, XML and other injections
Based on what you gathered from the resources, compose the OS vulnerability section of the SAR. Be sure to:
· explain Windows vulnerabilities and Linux vulnerabilities;
· explain the Mac OS vulnerabilities, and vulnerabilities of mobile devices;
· explain the motives and methods for intrusion of the MS and Linux operating systems;
· explain the types of security awareness technologies, such as intrusion detection and intrusion prevention systems;
· describe how and why different corporate and government systems are targets; and
· describe different types of intrusions such as SQL PL/SQL, XML, and other injections.
You will provide the company’s leadership with a brief overview of these vulnerabilities in your SAR.
Step 3: Prepare for the Vulnerability Scan
You have just finished defining the vulnerabilities an OS can have. Soon, you will perform vulnerability scanning and vulnerability assessments on the security posture of your company’s operating systems. But first, consider your plan of action. Read these two resources to be sure you fully grasp the purpose, goals, objectives, and execution of vulnerability assessments and security updates:
·
Vulnerability Assessments
·
Patches
Then provide the leadership with the following:
· A description of the methodology you propose to assess the vulnerabilities of the operating systems, including an explanation of how this methodology will determine the existence of those vulnerabilities in the your company’s OS
· A description of the applicable tools to be used and any limitations of the tools and analyses, including an explanation of how your proposed applicable tools will determine the existence of those vulnerabilities in your company’s OS
· The projected findings from using these vulnerability assessment tools
In your report, discuss the strength of passwords, any Internet Information Services’ administrative vulnerabilities, SQL server administrative vulnerabilities, and other security updates and management of patches, as they relate to OS vulnerabilities.
Step 4: Review Vulnerability Assessment Tools for OS and Applications
Vulnerability assessment is scanning a network for known security weaknesses. Vulnerability scanners are software tools designed to provide an automated method for conducting vulnerability scans across an entire network that may run into hundreds or even thousands of machines. According to EC-Council (2018), vulnerability scanners can help identify the following types of weaknesses:
· the OS version running on computers or devices
· IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening
· applications installed on computers
· accounts with weak passwords
· files and folders with weak permissions
· default services and applications that might have to be uninstalled
· mistakes in the security configuration of common applications
· computers exposed to known or publicly reported vulnerabilities
Additionally, vulnerability scanners can be used to help predict the effectiveness of countermeasures (security controls) and to test the effectiveness of those controls in the production network. Further, vulnerability scanners also have limitations, primarily in that they are only as effective as the supporting databases and/or plug-ins at a point in time. Large, automated vulnerability scanning suites also require maintenance, tuning, and frequent updates to be able to detect new vulnerabilities. Finally, scanning engines are prone to both false positives and negatives. That is where you as the cybersecurity professional will apply your deep knowledge of the environment, network, and applications in use.
Two common vulnerability scanners used in industry are the free Open Source scanner
OpenVAS
, and the commercial tool, Nessus. In this lab, you will use OpenVAS. Select the following links to learn more about OpenVAS and computer networks:
·
OpenVAS
·
Computer Networks
Your leadership will want to understand the capabilities of the OpenVAS scanner, so you will need to include that information in your Security Assessment Report (SAR).
Use the tool’s built-in checks to complete the lab. For details on accessing the lab, see the “Complete This Lab” box below.
Use OpenVAS to complete the following:
For the Windows OS:
1. Determine if Windows administrative vulnerabilities are present.
2. Determine if weak passwords are being used on Windows accounts.
3. Report which security updates are required on each individual system.
4. The tool provides a dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other groupings.
5. Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment. In this case, the OpenVAS tool will create and store individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML.
For the Linux OS:
1. Determine if Linux vulnerabilities are present.
2. Determine if weak passwords are being used on Linux systems.
3. Determine which security updates are required for the Linux systems.
4. The tool provides a dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other groupings.
5. Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment.
Knowledge acquired from this Workspace exercise will help your company’s client organizations secure the computer networks’ resources and protect corporate data from being stolen.
Validate and record the benefits of using these types of tools. You will include this in the SAR.
References
EC-Council (2018). Certified Ethical Hacker (CEH) Version 10 eBook (Volumes 1 through 4). [VitalSource Bookshelf]. Retrieved from
https://bookshelf.vitalsource.com/#/books/9781635671919
Step 5: Create the Security Assessment Report
By using the OpenVAS security vulnerability assessment tool from the previous step, you now have a better understanding of your system’s security status. Use the results you obtained to create the Security Assessment Report (SAR) as part of your deliverables.
In your report to the leadership, make sure to emphasize the benefits of using the security tool, and provide recommendations based on your findings.
Remember to include analyses and conclusions in the SAR deliverable as follows:
1. After you provide a description of the methodology you used to make your security assessment, provide the actual data from the tools, the status of security and patch updates, security recommendations, and specific remediation guidance for your senior leadership.
2. Include any risk assessments associated with the security recommendations, and propose ways to address the risk either by accepting it, transferring it, mitigating it, or eliminating it.
Include your SAR in your final deliverable to leadership.
Step 6: Develop the Presentation
Based on what you have learned in the previous steps and your SAR, you will also develop a presentation for your company’s leadership.
Your upper-level management team is not interested in the technical report you generated from your Workspace exercise. Team members are more interested in the bottom line. You must help these nontechnical leaders understand the very technical vulnerabilities you have discovered. They need to clearly see what actions they must either take or approve. The following are a few questions to consider when creating your nontechnical presentation:
· How do you present your technical findings succinctly to a nontechnical audience? Your Workspace exercise report will span many pages, but you will probably not have more than 30 minutes for your presentation and follow-up discussion.
· How do you describe the most serious risks factually but without sounding too dramatic? No one likes to hear that the entire network has been hacked, data has been stolen, and the attackers have won. You will need to describe the seriousness of your findings while also assuring upper-level management that these are not uncommon occurrences today.
· How do your Workspace exercise results affect business operations? Make sure you are presenting these very technical results in business terms that upper-level management will understand.
· Be clear about what action you are recommending. Upper-level managers will want to understand not only what you discovered, but also what you propose as a solution. They will want to know what decisions they need to make based on your findings.
Your goal for the presentation is to convince the leadership that the company needs to adopt at least one security vulnerability assessment tool to provide an extra layer of security.
The deliverables for this project are as follows:
1. Security Assessment Report (SAR): This report should be a seven- to eight-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
2. Nontechnical presentation: This is a set of eight to 10 PowerPoint slides for upper management that summarizes your thoughts regarding the findings in your SAR.
3. Lab: In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab
1/17/23, 8:11 AM
Vulnerability Assessments
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-topic-list/vulnerability-assessments.html?ou=722269 1/2
Vulnerability Assessments
A vulnerability assessment is a process for finding and classifying security problems in a
system or network. These holes can then be patched, or associated risks can be mitigated.
Not all vulnerabilities in an assessment will be treated as equal. Some vulnerabilities,
usually those that are far less likely to happen, may be deprioritized. More common holes
are likely to receive priority. This is also true of holes with a high risk of losing sensitive or
important data, even if the vulnerability is less likely.
Read chapers 2 and 4 of NIST SP 800-115 Technical Guide to
Information Security Testing and Assessment
(https://doi.org/10.6028/NIST.SP.800-115)
Vulnerability
(https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-
cst610/learning-resource-list/vulnerability.html?ou=722269)
Resources
https://doi.org/10.6028/NIST.SP.800-115
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269
1/17/23, 8:11 AM Vulnerability Assessments
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-topic-list/vulnerability-assessments.html?ou=722269 2/2
Question 1
True or false: Vulnerability assessments are an optional part of basic
security.
True
False
Question 2
True or false: A vulnerability assessment will create a list of known
vulnerabilities in a system or network.
True
False
Question 3
True or false: All of the vulnerabilities in an assessment will be treated
equally.
True
False
© 2023 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
Check Your Knowledge
1/17/23, 8:10 AM
Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 1/27
Vulnerability
A vulnerability is a weakness or group of weaknesses that can be exploited, causing a
security breach and/or damages to the organization.
Software vulnerabilities are communicated in various ways:
by the vendor in security bulletins (online publications)
through email alerts from the vendor to company points of contact
in hacker forums
by the United States Computer Emergency Readiness Team (US-CERT) and other
government organizations
Information Systems: Vulnerability to Cyberattack
As technology continues to grow, information systems also change and evolve.
Information systems help organizations in different ways—from increasing productivity to
reaching out to customers. There are different information systems to address different
requirements. The different types of information systems are listed in the table below. Can
you distinguish the ones that are more likely to be attacked from the ones that are less
likely to be attacked?
Inform
ation
System Definition
E-commerce
system
System for buying and selling products or providin
g
services over the Internet
Learning Resource
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 2/27
Information
System Definition
Knowledge
management
system
Collection of systems that support the creation, storage,
and dissemination of information; the knowledge
management system has a repository of well-structured
information and a collection of tools that may be used to
quickly find answers to posed questions
Enterprise
resource planning
(ERP) system
System that supports and integrates the various
functions within the organization including planning,
manufacturing, sales, marketing, and accounting
Intelligent system System that exhibits intelligence in the sense that it is
able to learn behaviors based on past experiences, to
adapt to changing environments, and to be consistent in
its responses
Transaction
processing system
System for managing data transactions of an
organization
Office automation
system
System that helps optimize and automate office
procedures
Customer-
relationship
management
(CRM) system
System that manages the company’s client interactions,
such as in sales, marketing, and customer service
Collaboration
system
System that supports and coordinates collaborative
activities such as e-mailing, texting, chatting, and
bookmarking
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 3/27
Information
System Definition
Supply chain
management
(SCM) system
System that automatically updates inventory values f
or
each item and sends reorder information to the suppliers
Functional-area
information
system
System for managing different functional areas within an
organization
Data mining and
visualization
system
System that helps derive patterns from data
Management
information
system (MIS)
System that provides information needed to effectively
manage an organization
Geographical
information
system (GIS)
System that captures, stores, analyzes, and presents data
related to a location
Executive
information
system
System that provides external and internal information
relevant to meeting the strategic goals of an organization
Decision support
system (DSS)
System that constitutes a set of IS to support the
decision-making process
The following systems are more likely to be attacked:
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 4/27
e-commerce system
ERP
transaction processing system
CRM
SCM
data mining and visualization system
GIS
DSS
The following systems are less likely to be attacked:
knowledge management system
intelligent system
office automation system
collaboration system
functional-area information system
MIS
executive information system
Remember, if a company’s network is attacked and penetrated (even via a website), then
all internal information systems may be accessible to the hacker or other type of attacker.
Modern Information Systems
The Challenges of Securing Modern Information Systems
Today’s hybrid networks comprise a combination of wired and wireless networks that
connect tens to thousands of computers running several different operating systems. Each
kind of computer, operating system, device, and network has its share of security
vulnerabilities, and securing the network poses several challenges for the IT security team.
You will learn more about these challenges and how to overcome them as you progress
through this program. However, here’s a brief overview of potential security issues.
Diverse Systems: As discussed, hybrid networks are flexible in terms of connectivity
and the types of devices they support. For example, many organizational networks
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 5/27
support a variety of computer systems, such as PCs, laptops, and mobile devices.
These systems run different types of operating systems, such as Windows, Linux,
UNIX, MacOS, and mobile operating systems. Some organizations have a virtual
private network (VPN), which enables employees to securely access their intranet
from outside the network.
Organizations are also working on improving the efficiency and availability of IT
resources and a variety of applications through the use of virtual machines. Multiple
virtual machines may run on one physical machine. A virtual Linux machine, for
example, may run on a Windows machine. VMware and Xen are some examples of
virtualization software that can be used to create virtual machines. All computer
systems and operating systems have inherent vulnerabilities that need to be
managed.
Email and Text Messaging: Email and text messaging are popular communication
tools for business and social purposes. You share documents, presentations, and
other types of files with your colleagues, vendors, customers, and friends. This
makes email an attractive tool for cybercriminals, who use it to infect computers
with viruses and Trojans and to run phishing scams.
Wireless Networks and Mobile Phones: Many organizational networks today
support wireless connectivity and remote log-ons. Hackers may piggyback on
available unsecured network connections in a densely populated area and send
spam, download files from the internet, and even hack into databases and steal
confidential data. Using mobile phones or smartphones to access information via
wireless technology might pose similar security challenges.
Social Networks: Organizations often use social networks for recruitment and
publicity campaigns. Consequently, many organizations allow employees to access
social networking sites. However, it might not be such a good idea from the
perspective of network security. There have been cases of Facebook and Twitter
accounts being hijacked and usernames and passwords being sold to “underground”
networks. Hackers then use the compromised accounts to run phishing scams.
Safeguarding the network from the vulnerabilities prevalent in social networks is a
new and growing challenge in the field of cybersecurity.
Vulnerabilities of TCP/IP
The TCP/IP suite protocols have inherent vulnerabilities. Hackers exploit these
vulnerabilities to attack networks. Some common types of attacks on TCP/IP include
sniffing, session hijacking, IP address spoofing, and denial of service (DoS).
Each type of attack is explained below.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 6/27
Sniffing: In this type of attack, the attacker uses a packet sniffer such as Wireshark
or Kismet to intercept and analyze the data packets sent between the sender and
receiver. This action occurs without the knowledge of either the sender or the
receiver. Many network applications transmit data packets as clear text; therefore,
attackers may be able to collect sensitive information such as user account names
and passwords using this technique. Sniffing is a data-link layer attack because the
attacker operates at the data-link layer of the network.
Session Hijacking: Session hijacking is an active version of sniffing. In this type of
attack, the attacker intercepts network traffic and obtains the initial sequence
number (ISN) of the communication. The ISN is the sequence number of the first
packet of data being communicated and tells the attacker how many packets are
being transmitted. The attacker also obtains the IP address of the sender from the
packet. The attacker then impersonates the sender and communicates with the
receiver. The attacker may tamper with the data received from the sender before
passing it on to the receiver. For example, an attacker may collect a confidential
document, falsify it, and retransmit it to the receiver, who accepts it at face value.
Session hijacking is a transport layer
attack.
IP Address Spoofing: In this type of attack, the attacker sniffs network traffic to
identify the pattern of legitimate IP addresses for that particular network. The
attacker then forges the IP address in the packet headers. If the network uses the IP
address to authenticate the user, the attacker is able to gain access to the network
through the packet with the forged IP address. The attacker can then send malicious
packets to the network. For example, an attacker may introduce a Trojan or
keylogging application to the network after gaining access to it. IP address spoofing
is a network layer attack.
Denial of Service: Using DoS, the attacker can make a critical service or resource
unavailable to legitimate users on the network. For example, an email server can be
rendered useless by the sending of hundreds of email messages with large
attachments. The email server will eventually crash under the load and become
unavailable to legitimate users. Similarly, an attacker can flood a server with TCP
requests and cause it to stop functioning normally. Attackers may also distribute the
attack—by deploying several hundreds or thousands of clients. In this situation, the
attack is referred to as a distributed DoS (DDoS) attack. DoS is a transport layer
attack.
Network Security – Vulnerabilities of LANs, WANs, and MANs
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 7/27
Consider a typical office setup and its information system needs. You might find common
security vulnerabilities such as unattended computers, a centrally located printer, access
to gaming websites, discarded CDs, and data sharing. Read about these common
vulnerabilities below.
Unattended Computers: Leaving computers unattended is the biggest risk to
network security. Easy access to computers and other devices means that the LAN
(local area network) can be compromised. All desktops should be locked when not in
use.
Centrally Located Printer: A centrally located printer is not a major vulnerability as
long as data is not compromised. Do not leave important documents lying around
the printer, and print documents only when
needed.
Access to Gaming Websites: This could pose a serious threat to the LAN, as any
material downloaded from the internet can contain viruses or worms. Access to
online games, movies, and songs should be restricted. All files that are downloaded
from the internet should be scanned for malware prior to being downloaded.
Discarded CDs: Employees must ensure that confidential data is deleted before
disposing of data and physically destroying computer media. Controls must be
implemented for safeguarding confidential data.
Data Sharing: Remote log-ons allow access to applications and data on the other
computers in the network. Remote access to computers on the network must be
restricted and password-protected. The LAN connects networks, servers,
workstations, printers, and storage devices and allows users to share functionalities
and resources. Therefore, it is important that the confidentiality and integrity of the
information is maintained. This can be achieved with the implementation of policies
and procedures and the creation of awareness among
employees.
WANs (wide area
networks) and MANs (metropolitan area networks), which are combinations of LANs,
are exposed to the same vulnerabilities as LANs.
Network Security – Vulnerabilities of WLANs
Like their wired LAN counterparts, WLANs (wireless LANs) are prone to security
vulnerabilities. In fact, a WLAN is more susceptible to attacks because it includes both the
organization’s internal network and the general public network segments. An open WLAN,
which does not require users to authenticate themselves with a user name and password,
is a security issue and a breach waiting to happen. WLANs are also susceptible to attacks
such as:
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 8/27
Traffic Analysis: Traffic analysis helps determine the load on a wireless network. This
type of analysis gathers information about the frequency and timing of network
packets in transit. The attacker can identify the websites being visited and read
messages that are sent on the network. The attacker can then alter the message in
transit or send the message to multiple users.
Eavesdropping: Sometimes referred to as sniffing, eavesdropping involves capturing
packets and reading the data content to find sensitive information. There are two
types of eavesdropping: passive and active. In passive eavesdropping, the attacker
can use the information gathered to attack the network. In active eavesdropping,
the attacker not only monitors the wireless sessions but also tries to determine the
contents of the message. For example, if a user is trying to contact a bank, the
attacker can trick the user into believing that user is communicating with the bank.
Brute-Force Attacks Against Access Point SSIDs: An access point uses a single
password for all wireless clients. In a brute-force attack, the attacker methodically
tests combinations of passwords to gain entry to the access points.
Renegade Access Points: Sometimes, employers may be unaware that their
employees have deployed wireless capabilities on the company’s network. This may
lead to unauthorized attacks. In addition, attackers may also set up rogue access
points to gain access to the network via the WLAN.
Masquerading Attacks: In a masquerading attack, an illegitimate user poses as a
legitimate user to gain access to confidential information.
Threats Originating From Cyberspace
Corporate websites and portals, extranets for vendors, and e-commerce sites are just a
few tools with which organizations harness the benefits of the internet.
With the rise in cybercrime, it is critical for organizations with an internet presence to
build a robust security infrastructure to safeguard their IT resources from threats.
Contrary to popular belief, not all threats originate from the outside. Threats can and do
originate from within the organization itself—in such cases, the internet is a useful tool for
the attack.
Below, read about an external and an internal threat to Cypher X, a fictional company.
Cypher X: Security Lapses?
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 9/27
Andy Parker is a systems administrator at Cypher X, a computer hardware manufacturing
company. The company’s headquarters and research and development center are located
in Austin, Texas. Cypher X has several manufacturing plants, sales offices, and suppliers
located in the United States, Brazil, Germany, South Korea, and Malaysia.
Today, Andy Parker is visiting a sales office in Dallas. During his visit, he observes some
lapses that could lead to IT security incidents.
Incident A
Andy Parker notices an unlocked workstation with a yellow sticky note on the monitor.
The note says,
Out for lunch, Back by 1:30 p.m. Call me @ 555-455-8865 in case of emergency
Sonya
Andy: Oh, Sonya’s out for lunch. I’ll come back after I’ve met with the others. Hmm,
Sonya’s forgotten to lock her desktop. She’s also left some files open. Anyone could
access this information. Actually, anyone could access the company’s network using
her computer, leaving her ID as the only trail. I must remember to warn her about
this.
Incident B
Andy Parker then notices an employee playing games on a website.
Andy: Ah, there’s John, the new hardware engineer. Is he playing soccer on a
website? I don’t believe this! I wonder if everyone has unrestricted access to the
internet and gaming sites. Andy decides to talk to John.
Andy: Hi John, how are you?
John: Hey! Okay so far, but I will be better as soon as I win this game!
Andy: Ah, soccer! So, does everyone have access to gaming websites?
John: Well, I know everyone in the IT department has unrestricted internet access.
Don’t know about other departments, though. Oh yes, I’ve seen Sam from the
finance department playing games online a couple of times. So, maybe a select few
users do have unrestricted access.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 10/27
Andy: Hmm, I see. Unrestricted access to the internet can result in computers being
infected by viruses or malware, you know—especially from gaming websites.
Incident C
Next, Andy Parker sees another employee working with shared folders on a network.
Andy: There’s Alan. He seems to be busy looking at some data over the network. Let
me chat with him for a bit.
Andy: Hey Alan, how are you today?
Alan: Great, Andy. Good to see you again.
Andy: Thanks. So, looks like you’re having a busy day.
Alan: No, not really. I’m just updating the project tracker on my boss’s laptop. I was
working late last night from home to meet a deadline.
Andy: He’s shared his files?
Alan: Yeah.
Andy: And how do you transfer files to your home computer?
Alan: I mostly use the office email system. Access to thumb drives is restricted.
Andy: I see. Must be difficult to transfer big files, huh?
Alan: Oh, we have a secure FTP site in place to exchange large-size files.
Andy: That’s good. Ah, there’s Sonya. Let me catch her before she gets busy. I’ll see
you later, Alan.
External Threat
Last year, there was an increase in targeted attacks on large companies. CypherX was the
target of one such attack.
The attackers gathered information about CypherX from its corporate website. They
also visited social networking websites to gather information about specific
employees.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 11/27
Those employees later received carefully worded phishing email messages
containing the Hydraq Trojan, which installed itself on the employees’ machines by
exploiting vulnerabilities in a commonly used web browser.
The Trojan—like all Trojans, a malicious program that appears to be legitimate—
installed a keystroke logger on each machine, which enabled the attackers to gain
remote access to the infected computers.
Eventually, the attackers were able to gain access to CypherX’s LAN. Fortunately,
Cypher X’s intrusion detection system (IDS) alerted the IT team in time.
Internal Threat
Cypher X also faced a couple of internal threats, one of which is described below.
Sam Moore, a CypherX accountant, was transferred to Torrington, Connecticut.
Although small, the Torrington office handles sensitive and confidential data related
to CypherX’s research and development efforts. Upset at being “banished” to a small
town, Sam decided to get back at CypherX by selling some of this data.
Sam got in touch with a friend who works for CypherX’s competitor. They made a
deal.
Sam uploaded design documents for the new range of laptops CypherX was
developing to an online storage site on the internet. In return, the payment for the
designs was transferred electronically to Sam’s bank account.
A few weeks later, CypherX’s competitor released a series of advertisements about
its new range of laptops that looked suspiciously similar to CypherX’s own!
Internal Threats
Most network intrusion detection systems, firewalls, and proxy servers are configured to
keep intruders out of an organization’s IT systems. What happens if the intruder is already
inside the network, for example, working as an employee or a contractor?
The 2010 CyberSecurity Watch survey found that 51 percent of respondents who
experienced a cybersecurity incident were victims of an insider attack. Insider attacks very
often involve confidential data, intellectual property, or trade secrets. Consequently, they
are more damaging and costly than external attacks (CSO et al., 2010).
Cypher X’s Andy Parker and his team recently conducted a security vulnerability test and
have broken down the vulnerabilities into categories.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 12/27
Weak/
Missin
g
Passw
ords
Summary of finding: Despite the detailed password policy, 11
percent of the security vulnerabilities across the various offices stem
from weak passwords among the employees and contractors.
Why the finding matters: Passwords that contain only letters or
numbers are easy to uncover via password-cracking tools that use
brute force; these tools try every possible combination of keystrokes
until the right combination is found.
Recommendation: Enforce the password policy electronically.
Operat
ing
System
or
Applic
ation
Summary of finding: Overall, 22 percent of the security
vulnerabilities come from the use of software with open
vulnerabilities that can be exploited. Special alert: none of the
computers located in the Buenos Aires, Argentina, office had the
latest Windows security patches installed.
Why the finding matters: When operating systems and software
applications such as browsers have known vulnerabilities that
hackers can exploit, hackers use these holes to breach networks and
individual computers.
Recommendation: Install the latest security updates on all machines.
Automate this process if possible.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 13/27
Human
Factors
Summary of finding: The latest employee satisfaction survey found
that:
5 percent of security vulnerabilities stem from a lack of
awareness among employees of the confidentiality clause in
their contract
12 percent stem from a lack of awareness of information
security policies among employees
15 percent stem from employee unhappiness with the working
conditions at Cypher X
12 percent stem from the receipt of warnings for unacceptable
behavior
Why the finding matters: Employees who are unfamiliar with security
policies or confidentiality clauses are soft targets for phishing and
social engineering scams and may unknowingly reveal sensitive
information to outsiders. Disgruntled employees are more likely to
misuse or sell information for personal gain.
Recommendation: Conduct regular training and awareness programs
about IT security. Conduct a thorough background check of
prospective candidates. Conduct regular audits of computer and
network activity to identify potential issues.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 14/27
Other Summary of finding: Finally, the survey found that 23 percent of the
vulnerabilities exist because of the susceptibility of computers to
attack due to miscellaneous factors such as unlocked workstations,
shared local folders with full access granted to all users, and copies
of pirated games, music, and movie clips.
Why the finding matters: Unlocked workstations and shared folders
on the network are easy targets for attackers who want to gain
access to the network. Pirated content can contain malware that can
infect the entire network. In addition, downloading and storing
pirated content is a crime in many countries.
Recommendation: Update the IT security policy and the acceptable
use policy for shared folders. Mandate password-protected
screensavers on all computers. Configure the firewall to block
websites that allow users to download pirated content and peer-to-
peer file-sharing sites. Educate employees on piracy.
Sources of External Intrusions
Internet-based intrusions are not limited to hackers alone. Nor are attacks restricted to
individuals and organizations. The internet allows malicious groups such as terrorist
organizations, enemy nation-states, and organized crime groups to carry out attacks. The
main sources of internet-based intrusions include:
Hackers: Hackers are the original cybercriminals. Hackers gain unauthorized access
to individual computers or networks to steal information such as passwords, credit
card and bank account numbers, and anything else they can get. Hackers may use
the stolen information themselves—to empty a bank account, for example—or barter
it on an underground network.
Industrial Espionage: Cybercriminals have found innovative ways to elicit trade
secrets from unsuspecting employees. A virus might masquerade as an email
attachment from your colleagues or as a link on your organization’s internal website
about a new HR policy. Clicking the attachment or link installs a virus on the
computer, which then spreads across the network, grabs whatever information it
can, and sends it back to the attacker’s computer.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 15/27
Organized Crime Groups: Criminals and organized crime groups use the internet to
launder money. In some cases, they hire candidates who respond to ads for work-
from-home opportunities and then use them as “money mules”—people who,
knowingly or unknowingly, transfer stolen funds from one country to another.
Employees: Employees, both current and former, might use the internet to smuggle
information in and out of the organization. In general, insider attacks are more
damaging and take longer to detect than intrusions by external hackers.
Terrorist Organizations: Terrorist organizations have already been using the internet
to organize real-world attacks, recruit followers, and raise money. However,
governments also fear that terrorist organizations might launch online attacks
against critical infrastructures.
Enemy Nation-States: Some countries are suspected to have launched cyberattacks
on enemy nations. Recent examples of attacks include an attack on Estonian
government computers by Russian government hackers, and cyberattacks on the US
Department of Defense and the White House originating from Russia and China.
Database Security Vulnerabilities
Database Security Pillars
A comprehensive database security strategy is based on three pillars.
Pillar 1: A strong foundation with authentication, authorization, and access control,
discovery and classification, and patch management
Pillar 2: Preventive measures with encryption, data masking, and change
management
Pillar 3: Intrusion detection with auditing, monitoring, and vulnerability assessment
Database Access Control
Security settings can provide restricted access to data as needed based on a database
schema. A database schema can be designed to allow or deny users access to tables and
views or to execute system privileges. A three-level database schema incorporating a
security approach has proven effective by establishing permissions based on user roles
(Oracle, n.d.).
Database Schema Administration
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 16/27
When users do not need to access the database or only need to access specific
applications, a shared three-level schema can limit the damage that can be done. A three-
level schema includes the description of data at the physical, conceptual, and external
layer.
Ownership-Based Administration
The owner of the table can apply security settings to grant or deny access to data by
implementing a three-level schema security mode, one that establishes permissions at a
granular level.
Access Control Administration
The owner of the database is provided the capability of granting and revoking privileges
by applying access rules.
Database access control has proven to be an effective security strategy. Any of the
traditional access control methods can be further improved by placing more granular
controls in place. Limiting access by role, schema, table—or by column, row or field within
a table—can minimize the likelihood that data will be compromised.
Inference
An inference attack involves gaining unauthorized access to restricted data through the
combination of database manipulation, logic application, and statistical analysis (Goodrich
& Tamassia, 2011; Hylkema,
2009).
Inference Basics
Step 1
Administrator and subordinate query a classified database.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 17/27
Step 2
Administrator receives the information, but the subordinate is denied.
Step 3
Subordinate queries two unclassified databases.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 18/27
Step 4
Subordinate receives the information from the unclassified databases.
Example of Inference
Step 1
In this example, a corporate database with personnel records is accessible in a sanitized
form to employees. Employee details contained in the database are restricted to
administrators. Names and salary information are strictly confidential, and subordinates
are denied access to this information (Shieh & Juang, n.d.)
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 19/27
Step 2
The company, attempting to improve retention among its employees, publicized their
years of service and publicly posts congratulatory messages to its internal website when
an employee completes the first year of employment and every five years thereafter. An
internal report shows the average salary for each department based on service time.
Company reports also show only one person was hired in any department in a given year.
Even though subordinates cannot access another employee’s salary, aggregate values are
accessible. The average salary of employees based on years with the company can be
accessed from the database.
Step 3
Jesse wants to access information about Roy’s salary. He knows Roy is the only HR
assistant manager with five years of service.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 20/27
Step 4
If Jesse creates a query requesting the average salary of HR managers with five years of
service, he can derive Roy’s salary. This technique is an example of inference.
Inference Countermeasures
Step 1
Inference deterrence, as part of standard database design best practice, can prevent
security breaches. When determining how to prevent inference attacks, it is essential to
consider what method is best suited for a particular situation.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 21/27
Step 2
There are multiple approaches to protect against an inference attack, including
suppression, generalization, and random data perturbation (RDP).
Suppression
Suppression aims to remove or suppress information that could be used in an inference
attack and would not be suitable for the current example. Alternatively, the company
could either refrain from commemorating employment milestones or not publish the
salary information.
Generalization
Generalization makes values less specific or general, thus making it more difficult to
reliably make inferences. Generalization would be a more acceptable method to mitigate
inference attacks for the present situation. It could be used to provide less specific details,
such as the fact that an assistant HR administrator with the company for zero to five years
makes an average of $50,000 to $58,000.
RDP
Random data perturbation, or noise addition, alters values subtly, while ensuring that the
overall average of values remains accurate. RDP would not be suitable for the current
example because it would not instill trust or confidence in employees if celebrating
employment milestones at the wrong time or listing inaccurate salaries for years of service
(Goodrich & Tamassia, 2011; Hylkema, 2009).
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 22/27
Step 3
Consider a database containing personnel information, including the names, years of
service, and salaries of employees. In this example, the employee’s name, years of service,
and salary information data is available to a subordinate role, but the association of names
and salaries is restricted to a
supervisor role, such as administrator.
Step 4
In this example, the employee’s name, years of service, and salary information data is
available to a subordinate role, but the association of names and salaries is restricted to a
supervisor role, such as administrator.
Step 5
By incorporating separation of duties as an integral aspect of database design, multiple
tables can be created to restrict the level of access based on a user’s assigned role.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 23/27
Here, the subordinate is restricted to the Employee table and Salary table, but the
Employee-Salary table is only available to the administrator role.
Step 6
If a new attribute, such as employee join date, is added to the Salaries table, the database
is susceptible to inference attack. An employee’s join date is an easily observable or
discoverable attribute.
Step 7
A user assigned a subordinate role could infer another employee’s salary by the inclusion
of start date data. Recall that the company posts congratulatory messages to its internal
website when an employee completes the first year of employment and every five years
thereafter. This will compromise the relationship between employee and salary. Therefore,
the employee join date should be restricted and instead included in the Employees table.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 24/27
Database Encryption
Encryption is critically important to maintain the integrity of the database content, as well
as confidentiality. Encryption ensures data security in transit and data security at rest, and
end-to-end encryption can prevent data breaches from internal attacks. With data
encryption, controls at the source of the data are maintained at a central point (Baccam,
2009).
What Is Database Encryption?
There are multiple levels of encryption that can be applied within the database hierarchy.
This extends from encrypting the entire database down to the attribute level, record level,
or even more granular down to an individual field (Lane, 2009b).
database-level encryption
record-level encryption
attribute-level encryption
individual field-level encryption
How Are Databases Encrypted?
The various ways in which databases can be encrypted are listed below.
Encrypt the entire database.
Encrypt each individual item in the database.
Encrypt each record in the database as a block.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 25/27
Encryption of the entire database, known as transparent or external data encryption
(TDE), is provided by native encryption functions within the database engine. TDE is
invisible to applications and users that use that data and, therefore, is known as a
“transparent” database encryption. Also, changes to application logic of TDE are not
needed.
Encryption of specific columns, tables, or even data elements within the database is
known as user or data encryption. It is referred to as a “user” encryption as objects being
encrypted are owned and managed on a per-user basis (Lane, 2009a).
Table-Level Encryption
Table-level encryption is where the contents of a table or group of tables are encrypted as
one element. This protects the data within the table, and is an option when more than one
column in the table contains sensitive information. While it does not offer fine-grained
access control to specific elements, it is a more efficient option than column encryption
when multiple columns contain sensitive data, and requires fewer application and query
modification (Lane, 2009b).
Row-Level Encryption
Row-level encryption is where a single row in a table is encrypted, and field- or cell-level
encryption is where individual data elements within a database table are encrypted. They
offer fine-grained control over data access, but can result in management and
performance challenges. There might be one key used for all elements or a key for each
row. The performance challenges can be a limitation when selecting or modifying multiple
rows (Lane, 2009b).
Column-Level Encryption
Column-level encryption applies to all data in a single column in a table. This column is
encrypted using a single key that supports one or more users. New queries to examine or
modify encrypted columns must have the correct database privileges but also must
provide credentials to access the encryption/decryption key. That can be as simple as
passing a different user ID and password to the key manager, or as complicated as a full
cryptographic certificate exchange. By asking the database to encrypt all data in a column,
you focus on specific data to protect.
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 26/27
Column-level encryption is popular with PCI-DSS compliance because it restricts access to
a small group, but the downside is that the column is encrypted as a whole, so every
modification requires the whole column to be reencrypted and certified. This option is
common in relational database platforms but has the poorest performance (Lane, 2009b).
References
Baccam, T. (2009). Making database security an IT security priority.
http://www.sans.org/reading_room/analysts_program/Oracle_Nov09
CSO, US Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon
University, and Deloitte. (2010). CyberSecurity watch survey. CSO website.
Goodrich, M. T., & Tamassia, R. (2011). Introduction to computer security. Pearson
Education.
Hylkema, M. (2009). A survey of database inference attack prevention methods.
http://met-research.bu.edu/met-
ert/Internal%20Documentation/Inference%20Research/Michael_Hylkema_Resea
rch_Paper.pd
Lane, A. (2009a, June 4). Introduction to database encryption – the reboot! [Blog post].
Available under the Creative Commons Attribution-NonCommercial-ShareAlike
3.0 United States (https://creativecommons.org/licenses/by-nc-
sa/3.0/us/legalcode) license. https://securosis.com/tag/database+encryption
Lane, A. (2009b, May 14). Database encryption: Option 2, enforcing separation of duties
[Blog post]. Available under the Creative Commons Attribution-NonCommercial-
ShareAlike 3.0 United States (https://creativecommons.org/licenses/by-nc-
sa/3.0/us/legalcode) license. https://securosis.com/blog/database-encryption-
option-2-enforcing-separation-of-duties
Oracle. (n.d.). Introducing database security for application developers.
http://docs.oracle.com/cd/B12037_01/network.101/b10773/apdvntro.htm
Oracle. (n.d.). Security, roles, and privileges. http://ss64.com/ora/syntax-secure.html
Shieh, S-P., Lin, C-T., & Juang, Y-S. (n.d.). Controlling inference and information flows in
secure databases.
http://dsns.csie.nctu.edu.tw/ssp/Meeting/37.Controlling%20Inference%20and%2
0Information%20Flows%20in%20Secure%20Databases
https://creativecommons.org/licenses/by-nc-sa/3.0/us/legalcode
https://creativecommons.org/licenses/by-nc-sa/3.0/us/legalcode
1/17/23, 8:10 AM Vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/vulnerability.html?ou=722269 27/27
© 2023 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
