Cybersecurity Essentials - Module 12 Cheat Sheet

# Module 12: System and Network Defense ### 12.1 Physical Security --- #### **12.1.2 Fencing and Physical Barriers** - **Purpose:** Fencing and barriers are the first visible layer of defense, enclosing secure areas and setting boundaries. - **Key Components:** - **Physical Barriers:** Perimeter fences, security gates, bollards, vehicle entry barriers, and guard shelters. - **Fencing:** - **Height Guidelines:** - 1 meter (3-4 ft.): Deters casual trespassers. - 2 meters (6-7 ft.): Too high to climb for casual trespassers. - 2.5 meters (8 ft.): Offers limited delay to determined intruders. - **Top Guards:** Barbed or concertina wire adds deterrence and delays intruders. - **Maintenance:** Inspect fences regularly to ensure stability and effectiveness (e.g., check for burrowing animals or washed-out earth). - **Precautions:** Avoid parking vehicles near fences to prevent climbing. --- #### **12.1.3 Biometrics** - **Definition:** Use of physiological or behavioral characteristics to authenticate access. - **Common Biometric Systems:** - Face, fingerprint, hand geometry, iris, retina, signature, voice. - **Factors to Consider:** - **Accuracy:** Minimizing Type I (false rejections) and Type II (false acceptances) errors. Type II errors are more critical for access control. - **Other Factors:** Speed, reliability, user acceptability, resistance to counterfeiting, storage needs, and scan intrusiveness. - **Use Cases:** Smartphones with fingerprint readers, secure financial transactions, and access control. --- #### **12.1.4 Badges and Access Logs** - **Access Badge System Sequence:** 1. **Swipe Access Badge:** The badge is swiped at a card reader. 2. **Read Badge:** The card reader retrieves the badge's unique number. 3. **Send Data:** The system sends the badge number to a computer. 4. **Make Decision:** The computer decides on access based on the credentials. 5. **Log Details:** The system logs the transaction for later retrieval. - **Purpose:** Access badges simplify entry while logging every access event for monitoring. --- #### **12.1.5 Surveillance** - **Deterrent and Detection Systems:** 1. **Security Guards:** - **Advantages:** Adaptability, instantaneous responses. - **Disadvantages:** Costly, limited capacity for high traffic, and human error risks. 2. **Video and Electronic Surveillance:** - **Benefits:** Continuous monitoring, long-term recording, integration with motion detection, and economical for perimeter security. - **Placement:** Entrances, exits, loading bays, stairwells, and refuse areas. 3. **RFID and Wireless Surveillance:** - **RFID Tags:** - Track assets leaving secure areas without requiring line-of-sight. - Modern RFID systems can read multiple hidden tags simultaneously. - **Use Case for @Apollo:** Protect laptops by alerting the system if tagged items are removed without authorization. >[!Warning]Recap >Barricades or fencing are the two most common types of physical security. Biometrics are the physiological or behavioral characteristics of an individual. Biometric authentication systems can include measurements of the face, fingerprint, hand geometry, iris, retina, signature, and voice. The most common metric to describe the overall accuracy of a biometric authentication system is the Crossover Error Rate (CER). An access badge allows an individual to gain access to an area with automated entry points. Security guards are a great solution for access control requiring an instantaneous and appropriate response. Video and electronic surveillance can supplement or, in some cases, replace security guards. RFID asset tags can track any asset that physically leaves a secure area. New RFID asset tag systems can read multiple tags simultaneously. ### 12.2 Application Security Cheat Sheet --- #### **12.2.2 Application Development** - **Stages of Development:** 1. **Developing and Testing:** - Use a **development environment** for testing and debugging before deployment. - Employ **version control software** to track changes. - Developers may use a **sandbox environment** to prevent overwriting code. 2. **Staging and Production:** - Staging should mimic the production environment for security and functionality tests. - Security settings are verified in the staging phase before deployment to production. 3. **Provisioning and Deprovisioning:** - **Provisioning:** Creation or updating of software. - **Deprovisioning:** Removal of software using automated self-service portals. --- #### **12.2.3 Security Coding Techniques** - **Key Techniques:** 1. **Normalization:** Organizes database data to maintain integrity and prevent malicious input. 2. **Stored Procedures:** Precompiled SQL tasks reduce network traffic and execution time. 3. **Obfuscation and Camouflage:** Hides sensitive data to prevent reverse engineering. 4. **Code Reuse:** Saves development time, but ensure reused code does not introduce vulnerabilities. 5. **SDKs and Libraries:** Speeds up development but be cautious of vulnerabilities in third-party code. --- #### **12.2.5 Input Validation** - **Importance:** Ensures data integrity by preventing malformed or malicious data inputs. - **Example:** Automated input attacks can alter user-submitted data in web forms, leading to invalid data flooding and compromising the database. - **Protection:** Validate all inputs before processing to prevent attacks. --- #### **12.2.6 Validation Rules** - **Purpose:** Ensures data accuracy, consistency, and completeness. - **Validation Rule Parameters:** - **Size:** Number of characters in a data item. - **Format:** Specific format compliance. - **Consistency:** Logical consistency across related data items. - **Range:** Ensures data lies between minimum and maximum values. - **Check Digit:** Validates accuracy using an extra calculated digit. --- #### **12.2.7 Integrity Checks** - **Definition:** Ensures data has not been corrupted during transfer or storage. ![image](https://hackmd.io/_uploads/BkngQKG4kx.png) - **Techniques:** 1. **Checksum:** Compares pre- and post-transfer values for consistency. 2. **Hash Functions:** Common types include MD5, SHA-1, SHA-256, and SHA-512. 3. **Version Control:** Prevents simultaneous edits to the same data object by different users. 4. **Backups:** Verifies backup data integrity to ensure recovery reliability. 5. **Authorization:** Implements user access controls to restrict unauthorized modifications. --- #### **12.2.8 Other Application Security Practices** - **Key Practices:** 1. **Code Signing:** Digitally validates software authenticity and ensures no modifications since signing. 2. **Secure Cookies:** Protects session data using HTTPS to prevent interception over unencrypted HTTP. --- #### **12.2.10 Managing Threats to Applications** - **Threats and Countermeasures:** 1. **Unauthorized Access:** Implement access policies for staff and visitors. 2. **Downtime:** Create a business continuity and disaster recovery plan. 3. **Software Vulnerabilities:** Regularly update application and operating system software. 4. **Unauthorized System Access:** Use multi-factor authentication and log file monitoring. 5. **Data Loss:** Implement data classification and backup procedures. 6. **Development Vulnerabilities:** Conduct thorough software testing before deployment. >[!Warning]Recap >To maintain security at all stages of application development, follow a process that includes: developing and testing, staging and production, and provisioning and deprovisioning. When coding applications, developers use techniques to validate that all security requirements have been met including: normalization, stored procedure, obfuscation and camouflage, code reuse and SDKs. Controlling the data input process is key to maintaining database integrity. Many attacks run against a database and insert malformed data. A validation rule checks that data falls within the parameters defined by the database designer. This helps to ensure the completeness, accuracy, and consistency of data. The integrity check performs a hash function to take a snapshot of data and then uses this snapshot to ensure data has remained unchanged. A checksum is an example of a hash function. Code signing helps prove that a piece of software is authentic. Using secure cookies protects information. Organizations can implement various measures including access policies, business continuity and disaster recovery plans, application and OS patches and updates policies, MFA and log file monitoring, data classification standards and backup procedures, and software testing prior to launch. ### 12.3 Network Hardening: Services and Protocols --- #### 12.3.1 Avatar Network vulnerabilities expose organizations to attacks. Hardening networks reduces these vulnerabilities by securing services and protocols. --- #### **12.3.2 Network and Routing Services** **Dynamic Host Configuration Protocol (DHCP)** - **Function:** Assigns IP addresses to network devices. - **Threats:** Rogue DHCP servers, denial of service (DoS). - **Security Checklist:** - Secure the DHCP server physically. - Apply patches and maintain strong antivirus. - Locate the DHCP server behind a firewall. - Monitor DHCP activity via logs. - Close unused ports and uninstall unnecessary services. **Domain Name System (DNS)** - **Function:** Resolves domain names to IP addresses. - **Threats:** DNS spoofing, traffic redirection. - **Security Checklist:** - Keep DNS software updated. - Prevent version strings from revealing information. - Separate internal and external DNS servers. - Use DNSSEC to strengthen authentication and sign DNS zones. - Disable or restrict zone transfers and dynamic updates. **Internet Control Messaging Protocol (ICMP)** - **Function:** Sends error messages (e.g., `ping`). - **Threats:** Reconnaissance, DoS, covert channel attacks. - **Mitigation:** Filter ICMP requests to prevent misuse. **Routing Information Protocol (RIP)** - **Function:** Shares routing information; limits hops to 15. - **Threats:** Traffic redirection, router performance degradation. - **Mitigation:** Use authentication, secure services, and system patching. **Network Time Protocol (NTP)** - **Function:** Synchronizes network clocks. - **Threats:** Disrupts log synchronization and secure communications. - **Mitigation:** Use NTP Authentication to verify trusted servers. --- #### **12.3.3 Telnet, SSH, and SCP** **Secure Shell (SSH) vs. Telnet** - **SSH:** Provides secure, encrypted remote access (TCP port 22). - **Telnet:** Uses plaintext authentication (TCP port 23). Avoid its use. **Secure Copy (SCP)** - **Function:** Securely transfers files between remote systems using SSH. - **Benefits:** Ensures authenticity and confidentiality of data in transit. --- #### **12.3.4 Secure Protocols** **Simple Network Management Protocol (SNMP)** - **Version:** Use SNMPv3 for cryptographic protection against eavesdropping. - **Purpose:** Monitors network and computer equipment. **HTTP and HTTPS** - **HTTP:** Provides basic web connectivity (port 80); lacks encryption. - **HTTPS:** Uses SSL/TLS for secure communication between client and server. **File Transfer Protocol (FTP)** - **FTP:** Transfers files but uses plaintext credentials. - **FTPS:** Adds SSL/TLS encryption to secure data transfers. **Email Security (POP, IMAP, MIME)** - **POP (port 110), IMAP (port 143):** Handle email retrieval. - **MIME:** Attaches non-text data like images or videos to emails. - **Secure Variants:** - Use SSL/TLS to encrypt transmissions. - Use S/MIME for digitally signed and encrypted emails. >[!Warning]Recap >Cybercriminals use vulnerable network services to attack a device, or to use it as part of an attack. Use a port scanner to detect open ports on a device. A port scanner sends a message to each port and waits for a response, which indicates how the port is used and whether it is open. Securing network services ensures that only necessary ports are exposed and available. DHCP uses a server to assign an IP address and other configuration information to network devices. DHCP snooping prevent rogue DHCP servers from providing IP addresses to clients by validating messages from sources that are not trusted. DNSSEC uses digital signatures to strengthen authentication and protect against threats to the DNS. The ping command is a network utility that uses ICMP to test the reachability of a host on a network. Cybercriminals can alter the use of ICMP to run reconnaissance, DoS, and covert channel attacks. Filter ICMP requests to prevent such attacks. RIP calculates the best route based on hop count, but cybercriminals can also target routers and the RIP protocol. Use secure services with authentication and implement system patching and updates to protect routing services. NTP allows network devices to synchronize their time settings with an NTP server. Use NTP Authentication to verify that the server is trusted. Secure Shell (SSH) is a protocol that provides a secure (encrypted) remote connection to a device. Telnet is an older protocol that uses unsecure plaintext when authenticating a device and transmitting data. Wherever possible, use SSH rather than Telnet to manage connections. SSH uses TCP port 22. Telnet uses TCP port 23. SCP uses SSH for data transfer and authentication, ensuring the authenticity and confidentiality of the data in transit. SNMP collects statistics from TCP/IP devices to monitor network and computer equipment. SNMPv3 is the current standard — it uses cryptography to prevent eavesdropping and make sure data hasn’t been tampered with while in transit. HTTP provides basic web connectivity and uses port 80. Use SSL or TLS for better security. ### 12.4 Network Hardening: Segmentation --- #### **12.4.1 Avatar** Network segmentation divides a computer network into smaller, logical parts to enhance both security and performance. --- #### **12.4.2 Virtual Local Area Networks (VLANs)** **Devices Are Grouped** - **Definition:** VLANs group devices within a Local Area Network (LAN) using logical rather than physical connections. - **Port Assignment:** Specific switch ports are assigned to a VLAN. Trunk ports are used to interconnect switches, carrying traffic from multiple VLANs. **The Network is Segmented** - **Functionality:** VLANs segment the network based on factors like function, team, or application. - **Security Use Case:** Devices hosting sensitive data (e.g., HR systems) are isolated in a dedicated VLAN to reduce the risk of breaches. - **Broadcast Traffic:** VLANs limit broadcast traffic, improving network efficiency. **Data is Protected** - **Threats:** Cybercriminals can target VLANs to disrupt performance or availability. - **Mitigation Measures:** - Monitor VLAN performance. - Apply advanced configurations. - Regularly patch and update VLAN systems. --- #### **12.4.3 The Demilitarized Zone (DMZ)** **Access to Untrusted Networks** - **Placement:** Web and mail servers are located in the DMZ to provide controlled access to the Internet without exposing the internal network. **Zones of Risk** - **Risk Levels:** Networks are divided into zones of varying trust levels: - **Trusted Private LAN:** High trust, low risk. - **DMZ:** Medium-low trust, medium-high risk. - **Internet:** Low trust, high risk. - **Extranet:** Medium-high trust, medium-low risk. **Zero Trust Model** - **Concept:** No users or endpoints are automatically trusted. - **Traffic Management:** - **East-West Traffic:** Movement between internal servers. - **North-South Traffic:** Movement between internal and external networks. - **Objective:** Constantly monitor all users and endpoints to prevent unauthorized access. ![image](https://hackmd.io/_uploads/rJutHFzNJg.png) #### 12.4.4 Managing Threats to the LAN Organizations can implement the following countermeasures to manage threats to their LAN: - **Unauthorized LAN access**: Secure wiring closets, data centers and computer rooms. Deny access to anyone without the proper credentials. - **Unauthorized access to systems, applications and data**: Define strict access control policies, standards, procedures and guidelines. - **Network operating system software vulnerabilities**: Implement policy to patch and update operating systems. - **Unauthorized access by rogue users**: Require passphrases or authentication for wireless networks. - **Exploits of data in transit**: Implement encryption between devices and wireless networks. - **Unauthorized network probing and port scanning**: Conduct post-configuration penetration tests. >[!Warning]Recap >VLANs provide a way to group devices within a LAN and on individual switches. VLANs are based on logical connections, while LANs are based on physical connections. Individual ports on a switch can be assigned to a specific VLAN. Other ports (trunks) can be used to physically interconnect switches and allow multiple VLAN traffic between switches. VLANs allow an administrator to segment a network. A VLAN can separate groups of devices that host sensitive data from the rest of the network, decreasing the chances of confidential information breaches. Trunks allow individuals on the HR VLAN to be physically connected to multiple switches. To protect the VLAN, monitor its performance, use advanced configurations, and regularly install patches and updates. > >A DMZ is a small network between a trusted private network and the internet. Web servers and mail servers are usually placed within the DMZ to allow users to access an untrusted network, such as the internet, without compromising the internal network. Most networks have two to four zones of risk: the trusted private LAN, the DMZ, the internet, and an extranet. To protect its network, an organization can implement a Zero Trust model. Automatically trusting users and endpoints within the organization can put any network at risk, as trusted users can move throughout the network to access data. Zero Trust networking constantly monitors all users on the network regardless of their status or role. ### 12.5 Hardening Wireless and Mobile Devices --- #### **12.5.1 Avatar** Wireless devices, such as cell phones, routers, and IP cameras, are vulnerable to cyber threats. Protecting them with security protocols and device-specific protections is crucial. --- #### **12.5.2 Wireless Device Security** **WPA Configuration** - **Wi-Fi Protected Access (WPA):** Replaced Wired Equivalent Privacy (WEP). - **Keys:** WPA uses 256-bit keys, stronger than WEP’s 64-bit and 128-bit keys. **WPA Features** - **Message Integrity Checks (MIC):** Detects altered data. - **Temporal Key Integrity Protocol (TKIP):** Handles and changes encryption keys. - **Advanced Encryption Standard (AES):** Improved key management and protection. **WPA2 (Wi-Fi Protected Access II)** - Introduced in 2006, replacing TKIP with **Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP)** and mandating AES. **WPA3 (Wi-Fi Protected Access III)** - Improved cryptographic algorithms and key exchange over WPA2. **Wi-Fi Protected Setup (WPS)** - Allows secure network setup using PIN codes but is vulnerable to brute-force attacks. **Disable WPS.** --- #### **12.5.5 Authentication** **Open System Authentication** - Allows any wireless device to connect. Suitable when security is not a concern. **Shared Key Authentication** - Authenticates and encrypts data between a wireless client and access point (AP). --- #### **12.5.6 Authentication Protocols** The **Extensible Authentication Protocol (EAP)** framework ensures secure wireless network authentication. Below are the main EAP protocols: | Protocol | Requires Client Certificate | Requires Server Certificate | Ease of Deployment | Security | |------------|------------------------------|-----------------------------|---------------------|----------| | **EAP-TLS** | Yes | Yes | Difficult | High | | **PEAP** | No | Yes | Moderate | Medium | | **EAP-TTLS**| No | Yes | Moderate | Medium | | **EAP-FAST**| No | No | Easy | Medium | --- #### **12.5.8 Mutual Authentication** **Rogue Access Points** - Rogue devices mimic authorized access points to steal user data. **Preventing Attacks** - **Mutual Authentication:** Two-way authentication ensures both the client and access point verify each other, detecting rogue devices and preventing attacks like man-in-the-middle. ![image](https://hackmd.io/_uploads/H17iDtfVJg.png) --- #### **12.5.10 Communication Methods** - **Wi-Fi and Bluetooth:** Enable wireless connections, often used for internet access and pairing devices. - **Near-Field Communication (NFC):** Allows contactless payments via electromagnetic fields. - **Infrared (IR):** Short-range communication, e.g., controlling TVs via smartphones. - **USB Communication:** Enables data transfer, device charging, and using phones as modems. --- #### **12.5.11 Mobile Device Management** **Storage Segmentation and Containerization** - Separates personal and work content. Features: - Isolate apps. - Control app functionality. - Remotely wipe data. **Content Management** - Use identity-management systems to control user access to shared applications like Dropbox or Google Drive. **Application Management** - **Whitelisting:** Ensures only trusted applications can be installed. - **Authentication:** Strong passwords for application access. --- #### **12.5.12 Mobile Device Protections** **Risks:** - Theft, loss, unauthorized access, OS and app vulnerabilities. **Jailbreaking/Rooting/Sideloading:** - Allows users to bypass device restrictions, posing organizational risks. Detection solutions can flag such devices and deny access. **Safeguards:** - **Screen Locks:** Require PIN, password, or pattern. - **Biometric Authentication:** Uses unique physical characteristics. - **Context-Aware Authentication:** Analyzes user behavior for access decisions. - **Remote Wiping:** Deletes device data if lost/stolen. - **Full Encryption:** Protects all data on the device. --- #### **12.5.13 GPS Tracking** **Global Positioning System (GPS):** - Tracks a device’s location, often accurate within 5 meters. - Used for geolocation, geofencing, and app-based notifications, but also susceptible to misuse by attackers. --- #### **12.5.14 Bring Your Own Device (BYOD)** **Policy Recommendations:** 1. **Access Control:** Use strong passwords to prevent unauthorized access. 2. **Approved Apps:** Only allow apps from a pre-approved list. 3. **Supported Devices:** Deny network access to unsupported devices. 4. **Data Access Control:** Enforce user-specific access to company data. 5. **Remote Wiping:** Enable data deletion for lost/stolen devices. >[!Warning]Recap >WEP was the first security protocol used for wireless networks. This was replaced by WPA, which improved the security of wireless connections. The evolution of WPA includes WPA2, WPA3 and WPS. Open system authentication is where any wireless device can connect to the wireless network. Shared key authentication provides mechanisms to authenticate and encrypt data between a wireless client and AP or wireless router. EAP is an authentication framework used in wireless networks. EAP includes EAP-TLS, PEAP, EAP-TTLS and EAP-FAST. The rogue access point will often imitate an authorized access point, allowing users to connect to the wireless network and potentially stealing their data. Mutual authentication is two-way authentication in which both entities in a communications link authenticate each other before they connect. Mobile devices can use wireless signals such as Wi-Fi and Bluetooth. NFC allows contactless communication between devices. IR provides short-range communication using an IR receiver. USB communication is the only type of communication on this list that is wired. It allows you to use your smartphone for data or audio storage. Storage segmentation and containerization allow you to separate personal and work content on a device. It provides an authenticated, encrypted area that separates sensitive company information from the user’s personal data. There are security risks involved in using applications that share data (e.g., Dropbox, Box, Google Drive, and iCloud). An identity-management security system can be used to control what data a user can access. the allow list allows you to digitally sign applications so that you can authorize which applications users can install. Jailbreaking, rooting and sideloading are ways of bypassing a device’s limitations to do things that the device is restricted from doing. Safeguards include screen locks, biometric authentication, context-aware authentication, remote wiping, and full device encryption. GPS uses satellites and computers to determine the location of a device. ### 12.6 Cybersecurity Resilience --- #### **12.6.1 Avatar** @Apollo prioritizes minimizing downtime for mission-critical processes. Cybersecurity resilience enhances system availability, ensuring employees remain productive. --- #### **12.6.2 High Availability** High availability systems aim to minimize downtime. They are based on three design principles: 1. **Eliminating Single Points of Failure:** Replace or remove devices prone to failure with redundancies like hot stand-by devices or multiple connections. 2. **Reliable Crossover:** Implement redundant power supplies, backup systems, and communication systems. 3. **Failure Detection:** Monitor devices and systems actively to detect issues and trigger backup systems. --- #### **12.6.3 The Five Nines** **Five Nines (99.999% Availability):** - Downtime is less than **5.26 minutes per year**. - **Steps to achieve this goal:** - **Standardized Systems:** Simplify inventory and make component swaps easier. - **Clustering:** Group multiple devices to form a single logical system; one device failure doesn’t affect availability. - **Shared Component Systems:** Entire systems can stand in for failed ones. --- #### **12.6.4 Single Points of Failure** A **single point of failure** is any component whose failure causes the entire system to fail. Solutions include: - Modifying operations to avoid reliance on one element. - Adding redundant components to take over if a failure occurs. --- #### **12.6.6 N+1 Redundancy** **N+1 Redundancy** means having at least one backup for each critical component. For example: - In a data center, components like servers, switches, and routers each have an additional standby component. While N+1 ensures availability, it is not fully redundant. --- #### **12.6.7 RAID (Redundant Array of Independent Disks)** Refer to the **RAID Level Comparison Chart** for detailed advantages and disadvantages of RAID levels. **How RAID Works:** - Spreads data across multiple drives. - Ensures data recovery in case of a single disk failure (except RAID 0). - RAID types: - **Mirroring:** Duplicates data on a second drive. - **Striping:** Splits data across drives for faster access. - **Parity:** Adds error-checking data. --- #### **12.6.8 Spanning Tree** **Spanning Tree Protocol (STP):** - Prevents loops in networks with redundant paths. - Disables redundant paths to avoid network issues. - If a failure occurs, STP recalculates paths and activates redundant links. --- #### **12.6.9 Router Redundancy** To prevent the default gateway from becoming a single point of failure, use: - **Redundancy Protocols:** Determine the active router (forwarding router) and backup (standby router). - **First-Hop Redundancy:** Ensures seamless traffic redirection to standby routers without user disruption. --- #### **12.6.10 Location Redundancy** **Synchronous Replication:** Real-time synchronization with high bandwidth; locations must be close. **Asynchronous Replication:** Near real-time sync with less bandwidth; sites can be further apart. **Point-in-Time Replication:** Periodic updates conserve bandwidth and are cost-efficient. --- #### **12.6.11 Resilient Design** **Resiliency Methods:** - **Redundant Links and STP:** Provides alternate paths for failover. - **Routing Protocols:** Fine-tune settings to improve recovery time. - **Application Resilience:** Design apps to continue functioning during infrastructure failures. **Application Resilience Solutions:** 1. Fault Tolerant Hardware. 2. Cluster Architecture. 3. Backup and Restore Systems. **IOS Resilience:** Protect Cisco routers and switches with secure configurations, preventing malicious actions like reformatting. --- #### **12.6.12 System and Data Backups** **Backup Best Practices:** 1. **Frequency:** Combine full backups with incremental backups. 2. **Storage:** Store backups off-site securely. 3. **Security:** Use password protection for backups. 4. **Validation:** Regularly validate backups for data integrity. --- #### **12.6.13 Designing High Availability Systems** **Key Principles:** 1. **Eliminating Single Points of Failure:** Redundant clusters, processes, and resources. 2. **Fault Tolerance:** Systems like data mirroring ensure uninterrupted service. 3. **System Resiliency:** Redundant power and processing ensure availability during disruptions. --- #### **12.6.14 Power** **Power Terms:** - **Excess:** Spikes (momentary) or surges (prolonged). - **Loss:** Fault (momentary) or blackout (complete loss). - **Degradation:** Sag/dip (momentary low voltage) or brownout (prolonged low voltage). **Guidelines:** - Use UPS systems for graceful shutdowns. - Employ redundant power sources and power conditioning. --- #### **12.6.15 HVAC (Heating, Ventilation, Air Conditioning)** **Key Points:** - Maintain proper temperature, humidity, and airflow for IT systems. - Follow environmental requirements from product specifications. - Secure internet-connected HVAC systems from unauthorized access. --- #### **12.6.17 Managing Threats to Physical Facilities** **Measures to Manage Physical Threats:** - Implement **access control** and **CCTV** at entry points. - Encrypt badges for entry access. - Develop **disaster recovery** and **business continuity plans**. - Use an asset tagging system for tracking. >[!Warning]Recap >High availability systems typically are based on three design principles: eliminating single points of failure, providing for reliable crossover, and detecting failures as they occur. A popular high availability goal is called ‘five nines.’ It gets its name from its aim to achieve an availability rate of 99.999%. Systems standardization provides for systems that use the same components. Clustering is multiple devices grouped together provide a service that, to users, appears to be a single entity. Shared component systems are built so that a complete system can stand in for one that failed. A single point of failure can be a specific piece of hardware, a process, a specific piece of data, or even an essential utility. Generally, the solution to a single point of failure is to modify the critical operation so that it does not rely on any single element. Build redundant components into the operation to take over the process should one of these points fail. N+1 redundancy helps ensure system availability in the event of a component failure. It means that components (N) need to have at least one backup component (+1). RAID takes data that is normally stored on a single disk and spreads it out among several drives. Except for RAID 0, if any single disk is lost, the user can recover data from the other disks where the data also resides. STP’s basic function is to prevent loops on a network when switches interconnect via multiple paths. STP ensures that redundant physical links are loop-free and only one logical path runs between all destinations on the network. The default gateway is typically the router that provides devices access to the rest of the network and/or to the internet. If there is only one router serving as the default gateway, it is a single point of failure. Install a standby router. Use location redundancy including: synchronous and asynchronous replication, and point-in-time replication. Resilient design is more than just adding redundancy. There are three availability solutions to address application resilience: fault tolerant hardware, cluster architecture, and backup and restore. A sound security policy should include regular data backups. Backups are usually stored off-site to protect the data if anything happens to the main facility. Protecting information systems includes electrical power systems and power considerations. A continuous supply of electrical power is essential for today’s massive server and data storage facilities. HVAC systems control the ambient environment, including the temperature, humidity, and airflow. This must be managed along with data components such as hardware, cabling, data storage, fire protection, physical security systems and power, and their needs. Environmental requirements are detailed in product specifications documentation and/or physical planning guides. ### 12.7 Embedded and Specialized Systems --- #### **12.7.1 Avatar** Critical infrastructure systems like manufacturing, energy, communication, and transportation are essential to a country’s economy. Protecting these systems is crucial, as cyber attackers target them to cause significant disruptions. --- #### **12.7.2 Threats to Key Industry Sectors** Cyberattacks, like **Stuxnet**, targeted **SCADA systems** (Supervisory Control and Data Acquisition) to disrupt industrial processes. SCADA systems are widely used in manufacturing, energy, and communications. **Preventive Actions:** - Segregate internal and external networks. - Isolate SCADA systems from the organization’s LAN. --- #### **12.7.3 The Emergence of the Internet of Things (IoT)** IoT enables billions of devices to connect to the Internet (e.g., cars, appliances, industrial machines). While IoT improves automation, it increases vulnerabilities. **Challenges:** - Expanded attack surface due to the large number of connected devices. - IoT devices are often used in **DDoS attacks**. **Security Measures:** - Ensure IoT devices support firmware updates. - Change default administrator credentials. --- #### **12.7.4 Embedded Systems** Embedded systems are widely used in **smart TVs, medical devices, HVAC systems, and vehicles**. **Vulnerabilities:** - Timing attacks exploit delays in system responses. - Side-channel attacks leverage information like electromagnetic leaks or power usage. **Protection Measures:** - Use **System on Chip (SoC)** technology for better performance, lower cost, and reduced power consumption. - Upgrade authentication mechanisms and ensure systems can be patched. --- #### **12.7.5 The Internet of Things (IoT)** IoT devices automate processes, monitor conditions, and alert users. Common uses include tracking inventory, monitoring environmental variables, and enabling smart home devices. **Vulnerabilities in IoT Devices:** - **RTOS Vulnerabilities:** Code injection, DoS attacks, and priority inversion. **Countermeasures:** - Secure wireless networks. - Install security software on IoT devices. - Use strong authentication for mobile apps managing IoT devices. --- #### **12.7.6 Avatar** IoT scanners, such as **Shodan**, help identify vulnerabilities in IoT devices. IoT communication methods include **cellular networks (4G, 5G)**, **radio**, and **Zigbee** for WPANs. **IoT Security Tips:** - Secure the wireless network. - Monitor IoT device activities. - Install updates and security patches regularly. --- #### **12.7.7 Avatar** VoIP (Voice over IP) is used for voice communications via the Internet. --- #### **12.7.8 VoIP Equipment** **Required Equipment:** - Internet connection and phone: traditional phone with an adapter, VoIP-enabled phone, or VoIP software on a computer. **VoIP Security:** - Encrypt voice packets. - Use SSH for gateway and switch protection. - Change default passwords. - Implement **intrusion detection systems** for attack prevention. - Use strong authentication to mitigate spoofing and hijacking. --- #### **12.7.9 Special-Purpose Embedded Systems** Embedded systems are critical in **medical, automotive, and aviation sectors**. **Medical Devices:** - Vulnerabilities: Wireless hacking, NFC exploitation, data breaches. - Consequences: Patient safety risks and unauthorized network access. **Automotive Systems:** - Vulnerabilities: Wireless jamming, tracking, and spoofing. - Countermeasures: Encryption, secure system design, firewalls. **Aviation Systems:** - Vulnerabilities: Hardcoded credentials, insecure protocols, drone hijacking. - Countermeasures: Secure protocols, jamming protection. --- #### **12.7.11 Deception Technologies** **Honeypots:** Decoy systems mimicking servers to lure attackers. Activities are logged for later review. **Honeynets:** A collection of honeypots mimicking an entire network to distract attackers. **DNS Sinkholes:** Prevent resolution of malicious hostnames and redirect users away from harmful resources. >[!Warning]Recap >Cyber attacks like Stuxnet proved that malware attacks could successfully destroy or interrupt critical infrastructures. To prevent attacks on these systems, segregate internal and external networks to separate the SCADA network from the organization’s LAN. The IoT is the collection of technologies that enable various devices to connect to the internet. Most IoT devices connect to a network via wireless technology. IoT applications use RTOS. This data expansion created a new area in technology and business called ‘Big Data.’ Embedded systems capture, store and access data. They are susceptible to timing attacks, whereby attackers discover vulnerabilities by studying how long it takes the system to respond to different inputs. SoC technology is an SFF hardware module — customer-grade examples include devices such as Raspberry Pi and Arduino. These devices are single-board computers that can be implemented using an FGPA, which is an integrated circuit that can be programmed or modified in the field. Using an IoT scanner such as Shodan is an easy way to tell whether a home automation device is vulnerable to attack. IoT devices communicate using short-range, medium-range or long-range methods and include cellular (4G, 5G), radio You need an internet connection and a phone for VoIP. VoIP security is only as reliable as the underlying network security. There are several ways to protect your VoIP service. Two of these measures are: encrypt voice message packets to protect against eavesdropping, and use SSH to protect gateways and switches. Devices such as pacemakers, insulin pumps, medical implants and defibrillators are capable of wireless connectivity, remote monitoring, and NFC. Vulnerabilities in these medical devices can lead to patient safety issues, medical record leaks, or the risk of granting access to the network to cybercriminals. In-vehicle systems produce and store the data necessary for the operation of the vehicle along with its maintenance, safety protection and emergency contact transmission. Typically, a wireless interface connects to the internet and to a diagnostic interface on board. Encrypt all communication between controllers and use a firewall. An aircraft has many embedded control systems such as its flight control system and communication system. Security issues include the use of hard-coded logon credentials, insecure protocols, and backdoors. UAVs, more commonly called drones, have been used in military, agricultural and cartography applications, among others. Drones are very useful for aerial photography, surveillance, and surveying. However, drones are susceptible to hijacking, Wi-Fi attacks, GPS spoofing attacks, jamming and de-authentication attacks. Organizations use deception technologies to distract attackers from production networks. They also use them to learn an attacker’s methods and to warn of potential attacks that could be launched against the network. Deception adds a fake layer to the organization’s infrastructure. A honeypot is a decoy system that is configured to mimic a server in the organization’s network. It is purposefully left exposed, to lure attackers. When an attacker goes after the honeypot, their activities are logged and monitored for later review. A honeynet is a collection of honeypots. A DNS sinkhole prevents the resolution of hostnames for specified URLs and can push users away from malicious resources.