Cybersecurity 101
Cybersecurity has been a buzzword for the past many years but is recently becoming a much more common term among people. There’s been an increase in demand for reliable and skilled cybersecurity professionals due to increasing occurrences of cyber-attacks, making it a top priority for businesses. However, for many folks who want to pursue a career in cybersecurity, it can be very overwhelming to just surf online and there’s a limited availability of guidance from enterprise-level professionals.
Therefore, I have prepared the following article which will provide you a thorough understanding of the Cybersecurity field, what it entails, and some recommendations from my professional experience.
What is Cybersecurity?
The answer to this will vary a bit from one resource to another, but it basically points to the same abstract concept — ‘Protection of People, Process and Technology from any kind of unauthorized tampering’.
Let’s understand some basic concepts that you will need to know to start smoothly in this field.
CIA Triad
CIA stands for Confidentiality, Integrity, and Availability which represent the foundations of information security. In order to fully protect data, all the 3 pillars need to be taken care of. Confidentiality refers to protection of data at rest or in transit from unauthorized access, Integrity refers to protection of data at rest or in transit from unauthorized modification or deletion, and Availability refers to accessibility of data to an authorized person when required.
AAA
AAA stands for Authentication, Authorization and Accountability and represent the foundations of controlling access to data. Authentication is the process of verifying a user’s identity, Authorization refers to the actions that a user is permitted to perform based on the user role and Accountability is the tracking of user activity through various parameters and mechanisms.
Non-Repudiation
This concept is designed for assurance of origin and integrity of data.
Encryption/Decryption
The process of converting plaintext data into ciphertext is called encryption. The reverse process of converting ciphertext to plaintext is called decryption. Encryption is designed to protect Confidentiality of data. Cipher is the algorithm that is used to encrypt the data.
There are 2 types of encryption:
Symmetric Encryption
Here, a single key is used for both encryption and decryption. This encryption is faster and easier to implement due to use of 1 key. The AES algorithm is an example of symmetric encryption.
Asymmetric Encryption
Here, a mathematically related key-pair of a public key and private key is used such that if the public key is used for encryption, then the related private key is used for decryption and vice-versa. RSA algorithm is an example of asymmetric encryption.
SSL/TLS Handshake
Most websites now use HTTPS instead of HTTP but do you know how HTTPS communication is protected?
HTTPS uses TLS protocol to secure its communication. TLS does this by using a hybrid approach of symmetric and asymmetric encryption, which is also called PKI (Public Key Infrastructure).
Following are the steps that happen under the hood when we visit any HTTPS website:
1. Client starts the handshake by sending a hello message to the server with the following details — TLS version the client supports, the cipher suites supported, and a string of random bytes called “client random.”
2. Server responds to the client by sending a hello message with the following details — server’s SSL certificate, server’s chosen cipher suite, and another random string of bytes that’s generated by the server called “server random”.
3. Client verifies the SSL certificate of the server by checking with the CA (Certificate Authority) that issued it.
4. Client sends another set of random string of bytes called “premaster secret”. This “premaster secret” is encrypted using the public key and can only be decrypted using the private key by the server.
5. Server performs the decryption of “premaster key”.
6. Both Client and Server generate session keys from “client random”, “server random” and “premaster secret”.
7. Client sends a finished message encrypted with a session key.
8. Server sends a finished message encrypted with a session key.
9. Handshake is completed with communication to continue using session keys.
The above process may change a bit for different TLS ciphers and versions but this should be good to understand the concept.
Hashing
Hashing is the process of converting any data to a unique fixed-length string, called a hash value. Hashing helps maintain integrity of data as no 2 pieces of data can have the same hash. Also, hashes are irreversible, meaning that you cannot retrieve the original data just through a hash.
However, there’s a small possibility of 2 pieces of data being assigned the same hash by a hashing algorithm, leading to what we call a hashing collision. This is why MD5 and SHA-1 hashes are no longer recommended due to them being prone to collisions and instead SHA-2 and SHA-3 Hashes are recommended.
Due to increasing complexity of attacks, simple hashes can now be cracked using various tools and therefore the concept of adding a small chunk of data to sensitive data pieces such as passwords before hashing them is now being increasingly used as way to further secure hashes against such attacks. This is called salting. Without knowing the salt value (the small chunk of data), the attacker cannot crack salted hashes.
Encoding/Decoding
Encoding is the process of converting data to a different format using a scheme. This mainly helps maintain usability of data and is used to compress data for easier transmission and storage. An example of an encoding algorithm is Base64.
Obfuscation
Obfuscation is the process of converting code such that it is very difficult to understand the application logic by going through it, but still performs the same tasks that it was intended to do. This protects code against any form of tampering.
Cyber Attacks
Now that we know some basic security concepts, let’s understand the common types of cyber-attacks.
Phishing
One of the most common types of cyber-attacks, phishing is a form of social-engineering attack where the attacker tricks the end-user by posing as someone from the same organization as the end-user, or by posing as an authority through emails. The end-goal of this attack could be disclosure of sensitive information, start of a wider attack as part of a malware campaign, etc.
Some things to lookout for in a phishing email include analyzing the email header, checking for presence of malicious links or attachments, email content indicating a false sense of urgency, etc.
At enterprise-level, most organizations use phishing solutions such as Cofense PhishMe as a defense mechanism.
Backdoor
This is a type of malware that takes advantage of vulnerable components of a web application to gain remote access and bypass the normal authentication process.
Backdoors are classified as a Trojan.
A backdoor can be detected through any network monitoring tool. At enterprise-level, firewalls, WAF, EDR, etc. act as defense mechanisms and prevent the execution of such backdoors.
Cross-site Scripting (XSS)
This is a web application attack where malicious code is inserted in input fields of an application.
There are 3 types of XSS attack that you should know about.
Reflected
In Reflected XSS, the malicious code is sent to the target’s browser which executes it as application code. This is not a persistent attack, meaning that the malicious code is not stored in the application.
Stored
In Stored XSS, the malicious code is stored in the target’s server and is a persistent attack.
DOM-based
In DOM-based XSS, the malicious code is injected in the application response and targets the document-object model (DOM). This attack happens completely within the target browser.
At enterprise-level, WAF can help prevent an XSS attack. Input sanitization, validation and output encoding are some other ways of securing your web-application against XSS attacks.
Denial of Service (DOS)
A DOS attack disrupts normal functioning of the target server by flooding or crashing the services, making it inaccessible to legitimate users.
When a number of systems are utilized to perform a DOS attack on a single target, it is called a Distributed-Denial-of-Service (DDOS) attack.
At enterprise-level, DDOS protection solutions are used as a defense mechanism. Some other detection and prevention strategies include rate limiting, network segmentation, use of CDNs, IP blocking and load balancing.
Ransomware
Ransomware is a malware which is designed to encrypt data of the target server and is held hostage until a ransom is paid to the attacker.
At enterprise-level, it is essential to have a backup of your critical systems so that reimaging is possible. The affected system is usually disconnected from the network and organizational SOPs are followed. This is where involvement of law enforcement is required who may have access to decryptors.
Zero-Day Exploit
Attackers use unknown software/hardware vulnerabilities to their advantage, resulting in 0-day exploits which cannot be prevented and this is where having proper security controls and a defense-in-depth strategy can help reduce any potential impact.
SQL Injection
In a SQL Injection attack, malicious SQL queries are inserted in input fields of application, resulting in insertion, updating or deletion of data in the database.
At enterprise-level, WAF can help detect and block SQL injection attempts. Some other prevention strategies include input validation, sanitization and use of parameterized queries.
Detection and Protection Tools
Now that we know of the common attack types, let’s get to know the different detection and protection tools.
SIEM
Security Information and Event Management (SIEM) is a solution used by organizations to detect, analyze and respond to cyber-attacks. It works by collecting event log data from various log sources in real-time and send out alerts based on SIEM rules that are created to differentiate between potential threats and normal network traffic.
Some examples of SIEM tools include Splunk, IBM QRadar and Microsoft Azure Sentinel.
Firewall
A firewall is a network security device that filters incoming and outgoing traffic based on rules that are configured to meet organizational security policies.
Currently, Next-Gen Firewalls are utilized at enterprise-level and broadly provide the following functionalities:
· Perform stateful inspection of network traffic, where content of each packet is analyzed and compared to packets that were previously allowed by the firewall.
· Ability to block application-level attacks and advanced malware.
· Integrated IPS
· Threat Intelligence feeds
Web Application Firewall (WAF)
A WAF is essentially a firewall for web applications and works by monitoring, filtering and blocking any malicious HTTP/HTTPS traffic.
Intrusion Prevention System (IPS)
An IPS is a tool that prevents any intrusion attempts at the network and session layer of the OSI model. It uses signatures and policies to identify threats and block them. This tool also provides partial protection at the application layer.
Endpoint Detection and Response (EDR)
An EDR is an end-point security solution that continuously monitors end-user devices to detect and respond to sophisticated attacks such as Advanced Persistent Threats (APTs), ransomware, etc.
This is an advanced version of an antivirus solution, and works based on a combination of signatures, IOAs (Indicators of Attack), AI and Machine Learning algorithms which focus on cyber-attack tactics, techniques and procedures (TTPs) and provides a more holistic approach to threats.
Proxy
A proxy server acts as an intermediary between users and internet and helps segregate web traffic so that cyber attackers cannot access a private network.
Data Loss Prevention (DLP)
DLP is a security solution that helps detect and prevent leakage of sensitive data. This helps organizations comply with various data privacy regulations, and protects against insider threats, inappropriate handling of sensitive data, and data breaches.
User and Entity Behavior Analytics (UEBA)
UEBA is a security solution that detects anomalies in users as well as devices across the network through Machine Learning algorithms.
This complements traditional security mechanisms to detect a wider-range of cyber-attacks.
Career Paths in Cybersecurity
Now that we have covered various security tools used to protect against cyber threats, we will now get into the various career paths in cybersecurity that you can pursue as you start your professional journey.
1. Tools and Engineering
Are you someone who is able to learn new tools and technology quickly and with relative ease? If yes, then this may be the area for you. At enterprise-level, there’s a constant shortage of skilled cybersecurity professionals and tools and engineering is one of those areas.
The Tools and Engineering department is usually responsible for implementing various security tools and maintaining their utilization. Most of the other cybersecurity teams depend on the Tools and Engineering department as they utilize security tools and require them to be regularly updated.
Examples of positions in this area include Security Engineer, Security Architect.
2. The Defensive Track
Are you someone who’s able to work in a high-pressure environment where you’re always surrounded by cyber-attacks and want to directly be involved with responding to these attacks? If yes, then the Defensive track is for you. This is another challenging area where there’s a shortage of skilled cybersecurity professionals.
The Defensive track includes the Security Operations Centre, Incident Response, Threat Hunting, Vulnerability Management etc. and work together to protect an organization from various cyber threats. These are collectively called the Blue Team.
Examples of positions in this area include SOC Analyst, SOC Lead, Vulnerability Management Analyst, Incident Response Analyst, Threat Hunter, and Cyber Forensics Analyst.
3. The Offensive Track
Are you someone with a curious mind and an ability to break into systems to understand the flaws? Then the offensive track is for you. This is a popular area but also a difficult one to start in due to the high learning curve and time involved.
The Offensive track includes Penetration Testing, Red Teaming, Ethical Hacking, Application Security, Reverse Engineering, etc. and work collectively to help organizations maintain compliance with various security policies and help keep systems and applications secure.
Examples of positions in this area include Penetration Tester, Ethical Hacker, Red Team Analyst and Application Security Engineer.
4. Consulting
Are you someone who is unable to decide on one path and want to try out a little bit of everything? Then the consulting path is for you. This is a high demand area in cyber security that provides ample growth opportunities but requires you to be a good technical communicator.
Consulting in cybersecurity covers all the possible subdomains and gives you the opportunity to build an expertise in an area of your choice.
Examples of positions in this area include Security Consultant and Security Analyst.
5. Management
Are you someone who loves to manage teams and make decisions that have a direct organizational impact? Then the management path is for you.
This is a path that can be taken after around 5 years of experience in one of the other cybersecurity fields.
Examples of positions in this area include Cybersecurity Manager, Department Head, Regional Head and Chief Information Security Officer (CISO).
6. DevSecOps
Are you someone with good coding skills and want to bridge the gap between development and cybersecurity teams? Then the DevSecOps track is for you.
This track includes Identity and Access Management, Security Orchestration Automation and Response (SOAR) and Threat Modeling.
Examples of positions in this area include IAM Analyst, SOAR Engineer and Threat Modeling Analyst.
7. Cloud Security
Are you someone who is interested in exploring cloud infrastructure and wants to completely focus on securing the same? If yes, then the Cloud Security track is for you.
A relatively new field that is rapidly expanding, there’s a huge shortage of skilled cybersecurity professionals here. Various organizations have adopted the cloud technology differently but there are high chances of you working on AWS, Azure or GCP cloud.
Examples of positions in this area include Cloud Security Engineer and Cloud Security Architect.
Tips and Tricks from Professional Experience
I have covered most areas within cybersecurity that you can consider to pursue your career in and would like to end this article by sharing some tips and tricks that helped me and will benefit you in your cybersecurity journey.
· Cybersecurity is a constantly evolving field and requires you to stay updated with the latest trends. There are a lot of platforms such as ‘The Hacker News’ that cover these and can send you daily/weekly emails to help you stay updated. Highly recommend signing up and develop a habit to go through the emails.
· You are required to constantly learn in cybersecurity as tools and technologies change rapidly. Stay patient and keep short learning goals to help you reach a desirable level of skill.
· Some areas in cybersecurity are more hands-on and some are just plain theory. I recommend choosing an area that matches both your skill-set and your interest as this will help you in the long-term. This matching doesn’t need to be a 100% skill-set/interest but should have a balance of both.
· If you choose to pursue an area that is hands-on in nature, I recommend exploring various platforms such as HackTheBox, TryHackMe, Blue Team Labs, LetsDefend, etc. which will help you improve your hands-on skills and provide exercises for all skill-levels.
That’s all folks, until next time!
