Cyber security fundamentals featured a comprehensive overview of concepts essential to the cyber security professional. It provided a review of fundamental digital technologies, computer networks and protocols, and security applications and testing. It also demonstrated how to view information as an asset to the organization, methods of categorizing information, and how security controls can be used in concert with physical and administrative controls to protect information. Concepts of policy, mechanisms, assurance, threats, and vulnerabilities were introduced. Cyber security fundamentals explored a broad range of security topics and concepts that would become the subject of much deeper investigations in subsequent courses. The following are two example of topics covered in the fundamentals course along with an explanation of the professional and ethical responsibilities associated with each.
Organizational Security Assessment: Vulnerability & Threat Analysis
Performing an analysis on the threats and vulnerabilities to an organization is vitally important when considering what policies to develop and which processes or technologies might be appropriate to mitigate them. It allows you to understand where the weaknesses are in the overall security of the organization. This assessment covers all aspects of security and risk from factors ranging from personnel, networks, systems, applications, and physical environment. It also forces you to look at risk mitigation from a variety of sources. Malicious activity, including hacking, often comes to mind when one consider the security of their computing systems. However, other sources such as natural disasters, hardware failure, and even accidental human misuse can be just as much of a threat as an attack.
Information, whether stored, transmitted or processed, lies at the heart of a business' security strategy. At its core the strategy is about protecting that information, and an analysis of the threats and vulnerabilities to the organization goes a long way in developing strategies that reduce the risk to it. When performing a security assessment it is also important to consider the business context of the organization. What information does the organization possess that may be attractive to outside interests? What information, if disclosed, could harm or embarrass the business, affecting everyone from employees to management? An understanding of what you are trying to protect goes a long way in building a successful security strategy.
As an exercise we were asked to perform a vulnerability assessment of our organization in an effort to understand the weaknesses in the network. To apply mitigation strategies one must first identify the holes that may be exploited. Using a security assessment template we set about analyzing all manner of vulnerabilities, from physical building security to information system vulnerabilities, to create a top issues issue list which demonstrated the most risk to the organization.
As an individual performing a security assessment, whether that assessment is done in house or by a third party, the professionalism and ethical conduct of that individual are paramount. The investigation has the potential to uncover vulnerabilities yet unknown to the organization. Threats could range from the discovery of an unsecured door to a single unpatched server that is sitting unprotected on the network. The amount of time that vulnerability goes unmitigated presents a risk to the business that could be exploited. The individual has a professional responsibility to report any and all vulnerabilities discovered as part of the assessment to the organization.
Threats & Vulnerabilities Discovery: Penetration Testing
Penetration testing, or pen testing, is an attempt to assess the security of IT infrastructure by safely trying to exploit its vulnerabilities. Vulnerabilities may exist in applications, operating systems, system services, or misconfigurations. Such assessments can also help validate system configurations or software are up to date as well as test any network defense mechanisms in place. Pen testing is often used to find openings in the network from which subsequent attempts can be made to increase the level of access and use as a jumping off point to other vulnerable devices.
As an introduction to penetration testing we were presented with the Kali Linux operating system, which bills itself as a "penetration and ethical hacking Linux distribution". Our exercise was use the tools built into Kali to assess the security state of a purpose built vulnerable operating system called the Metasploitable Virtual Machine (VM). Tasks performed included using an application port scanner to find open and potentially vulnerable application ports, probe those ports for information about the version of software running, correlate that information to known vulnerabilities, and finally use the MetaSploit toolkit to exploit those vulnerabilities. MetaSploit, a penetration testing framework, comes packaged with the ability to exploit thousands of known vulnerabilities. One can use MetaSploit to absolutely confirm whether a target system is vulnerable to particular attack.
MetaSploit, and other applications like it, are powerful tools that paint a very accurate picture of the current state of security. The learning curve to become proficient with these tools is not very steep, most often you can find example of how to exploit a specific vulnerability quite easily on the internet. This dramatically lowers the bar for entry into penetration testing, and these tools can also be utilized for malicious purposes. As such I believe penetration testing has very clear ethical implications. The individual performing the testing has a professional and ethical decision to make every time a vulnerability is discovered. While they likely have a professional responsibility as a tester, whether employed by the company that requested or as part of a third party contractor, they have the ethical decision to make as well. Often these testers are highly capable from a technical perspective, so in addition to possessing the technical ability to discover the exploit they likely have the ability to conceal their discovery as well.
While not every practitioner of cyber security will be performing penetration testing I felt it was important to include from a fundamentals standpoint because it highlights the ease with which vulnerable systems can be exploited. One does not have to be an expert computer programmer with a deep understanding of the systems they are attempting to exploit, nor is it required that a yet undiscovered vulnerability be found. Ready-made and easy to use pre-packaged toolkits are available to use in exploiting most well-known vulnerabilities. To me this highlights the need for both technical and non-technical solutions to help mitigate the risk from software vulnerabilities. In fact, I believe much of the risk mitigation in this regard is non-technical. Items such as having an accurate and detailed inventory, configuration management, and patch management process are all just as important as the rollout of the actual patches themselves.
From an ethical perspective I believe the dangers associated with penetration testing, specifically the wide availability and ease of use of toolkits, is obvious. While the knowledge gained about potential vulnerabilities in your network is extremely valuable is assessing exposure it also creates another risk of vulnerabilities being discovered and not reported. This can occur whether the testing is done in-house or by a third party. While the risks of in-house testing may be fewer you may not have the funds or expertise to perform it. And when dealing with a third party you have the overhead of carefully selecting a reputable and competent one, creating a non-disclosure agreement, and managing the partnership. Indeed penetration testing carries both professional and ethical responsibilities that need to be considered in the context of overall risk management.