There are many ways to help secure the enterprise. In this video, you’ll learn about honeypots and honeynets, risk, vulnerabilities, exploits, threats, and the CIA triad.
In IT security, there is a constant fight happening between the attackers and the folks that are being attacked. And one of the ways that we can learn more about our attackers is to watch the attacks themselves. One of the ways that we can do this is through the use of a honeypot. We know that these attacks are often not a human being who’s typing into a keyboard interactively. Usually, these are scripts or programs that are designed to attack many different systems simultaneously.
So one of the things we could do is to create a virtual network with virtual servers and virtual components that would be very attractive to one of these attackers. We’re effectively leaving out this virtual honey that hopefully will attract this attacker’s sweet tooth. If you want to see what people are using as a honeypot or you’d like to build your own, there are many open-source versions available that you can install on your own systems.
The attackers, though, are very good at determining what might be real and what might be fake. So there is a constant battle to build the best possible honeypot so that you can attract the attackers and be able to watch what they’re doing during these attacks. But to make this attractive to the attacker, we need more than simply a single server or a single device. We need a number of different components. We need servers, workstations, routers, firewalls, switches, proxy servers, and anything else that can make this system seem a little more real.
When we compile all of these together, we’ve now created a honey net. We now have a much larger deception framework. We might have the attacker start with a workstation that’s part of the honey net. Then they would move to a honey net server. And then we might see if we can move them over to the honey net NAS. These are commonly virtual devices. And we can build any number of these to be able to attract the attackers. If you want to read more about honeypots and honey nets, there’s a wealth of information on the internet. And a good place to start would be projecthoneypot.org.
In the world of IT security, a lot of the decisions that we make are based on risk. Risk is the exposure that we have to something that might be harmful or something that might be dangerous. If we need to describe how possible it might be for something bad to happen, then we would be describing risk. Risk is a constant concern for every organization. And the larger the organization grows, the more risk they tend to take on.
We would always want to consider how risky a situation might be during the process of expanding, adding new applications, making changes to a configuration, or anything else in our organization that might open us up for attack. Whenever we’re making business decisions on what we do next, we always have a level of risk associated with that.
And it’s important to be able to identify what that risk happens to be so that we can then make a business decision on whether we continue with that particular task or whether we add additional security controls to help protect that task.
If you’ve been reading through your monthly Microsoft patch notes, then you’ve probably seen a list of vulnerabilities that have been identified by Microsoft. These vulnerabilities are listing a set of weaknesses that are associated with the current version of the operating system. And if someone was to take advantage of those vulnerabilities, they could potentially gain access to our systems or our data.
And just because a vulnerability hasn’t been discovered doesn’t mean the vulnerability doesn’t exist. Researchers are identifying vulnerabilities all the time that may have existed in an operating system for months or even years. And of course, there are many different types of vulnerabilities. There might be a vulnerability associated with the type of data that could be injected into a data stream.
Maybe the authentication process that’s being used for the operating system has a vulnerability or a flaw that would allow someone to gain access to your system. Or maybe there’s data that’s exposed or security misconfiguration. All of these can be categorized as a vulnerability.
Identifying that an operating system has a vulnerability is not the same thing as someone taking advantage of a data breach. The data breach itself is described as an exploit. This is when someone takes advantage of the vulnerability to gain access to a system or gain access to data. Usually, the exploit is taking advantage of that vulnerability.
And there may be many different ways to accomplish this. This might be a relatively straightforward exploit where a username is embedded within the code, and we can use that username to gain access to the system. Or it may be a relatively complex series of tasks that an attacker needs to complete before gaining access to that operating system.
The threat is what is used by the attacker to exploit that vulnerability. Threats can also be things that might be accidental. For example, a fire or a flood could certainly be a threat to an organization’s building. But threats in our local area are things that we often understand and we can prepare for. On the internet, many of the threats to our systems are coming from somewhere outside of our organization.
So if your operating system has a vulnerability, there may be a threat agent that takes advantage of that vulnerability by creating a threat action. This threat action will exploit the vulnerability and allow the attacker to gain access to the system. The results of that entire process means that an attacker could cause a system to become unavailable, or they may gain access to private information or perhaps make that information available to others on the internet.
To be able to combat these attacks, we rely on three fundamental principles of IT security. We refer to these as the CIA triad. This is sometimes referred to as the AIC triad to be able to differentiate it from the CIA, Central Intelligence Agency, of the US federal government.
The C in the CIA triad refers to confidentiality. One way that we can help protect our data is to make that data confidential. We can create data confidentiality by restricting access to the data or perhaps encrypting the data.
Another leg of the CIA triad is integrity. Integrity means that the data that we are referencing has not been modified by any third-party means. For example, messages sent across the network can’t be modified unless there’s some type of detection in place. We commonly associate digital signatures with the integrity arm of the CIA triad.
And of course, one of the core principles, not only of IT security but information technology in general, is availability. We want to be sure that all of the security that we’re applying towards our data and our systems doesn’t affect the overall access and availability of those systems themselves. And for most people in information technology, we understand that the importance of maintaining these systems and security involves making sure that they are available to anyone who needs access.