Chapter 1: Introduction to Ethical Hacking
System security consists of methods and processes used for protecting information and information systems from unauthorized access, disclosure, usage or modification. Information security ensures the confidentiality, integrity, and availability of information. If an organization lacks security policies and appropriate security rules, its confidential information and data will not be secure, putting the organization at great risk. Well-defined security policies and procedures help in protecting the assets of an organization from unauthorized access and disclosures.
In the modern world, with the help of the latest technologies and platforms, millions of users interact with each other every minute. These sixty seconds can be very vulnerable and costly to private and public organizations due to the presence of various types of threats, both old and modern, that are present worldwide. The most common and rapid option for spreading threats all over the world is the public internet. Malicious Codes and Scripts, Viruses, Spams, and Malware are constantly waiting to be accessed. Which is why security risks to a network or a system can never be entirely eliminated. Implementing a security policy that is effective and efficient, rather than consisting of unnecessary security implementations that can result in a waste of resources and create loopholes for threats, is a continual challenge.
eBay Data Breach
One famous example demonstrating the need for corporate information and network security is the data breach that occurred at eBay. eBay is a well-known online auction platform that is widely used all over the world.
In 2004, eBay reported a massive data breach. According to eBay, the sensitive data of 145 million customers was compromised in this attack. The data included the following:
- Customers’ names
- Encrypted passwords
- Email addresses
- Postal addresses
- Contact numbers
- Dates of birth
Information such as that listed above must always be stored in an encrypted form rather than in plain text, and it must use strong encryption. eBay claims that no information related to security numbers such as credit cards was compromised because its database containing financial information is kept in a separate and encrypted format. However, identity and password thefts can also result in severe risks.
Hackers carried out the eBay data breach by compromising a small number of employees’ credentials through phishing between February and March 20 14. Specific employees may have been targeted in order to gain access to eBay’s network, or it is possible that eBay’s entire network was being monitored prior to the attack. eBay claim to have detected this cyber-attack within two weeks.
Google Play Hack
A Turkish hacker, “Ibrahim Balic”, hacked Google Play twice. He admitted responsibility for the Google Play attack and claimed that he had been behind the Apple’s Developer site attack. He tested vulnerabilities in Google’s Developer Console and found a flaw in the Android Operating System. He tested the flaw twice, to make sure that a vulnerability really existed, and used the results of his vulnerability testing to develop an Android application to exploit the flaw. When the developer’s console crashed, users were unable to download applications and developers were unable to upload their applications.
The Home Depot Data Breach
The theft of information from payment cards, for example credit cards, is very common nowadays. On the September 8, 20 14, Home Depot released a statement claiming that hackers had breached their Point of Sale system.
The attacker accessed the POS network and gained access to third-party vendors’ login credentials. Zero-Day vulnerability exploited Windows, which created a loophole to enter Home Depot’s corporate network via a path from the third-party environment. After accessing the corporate network, Memory Scrapping Malware was released and then the Point of Sale terminals were attacked. Memory Scraping Malware is highly effective, and it successfully grabbed the information on millions of payment card.
Home Depot took remedial action against the attack. They started using EMV Chip and Pin payment cards. These Chip and Pin payment cards have a security chip embedded into them to avoid duplicity of the magnetic-stripe. EMV cards prevent fraudulent transactions. Several countries today use EMV cards as a standard payment card because of the chip card technology. It is capable of declining certain types of credit card frauds.
The term Hack Value refers to the attractiveness, interest, or thing of worth to the hacker. The value describes the targets’ level of attractiveness to the hacker.
Zero-Day Attack refers to threats and vulnerabilities that can be used to exploit the victim before the developer identifies or addresses them and releases a patch for them.
Vulnerability refers to a weak point or loophole in any system or network that can be helpful and utilized by attackers to hack into the system. Any vulnerability can be an entry point from which they can reach their target.
Daisy Chaining is a sequence of hacking or attacking attempts to gain access to a network or system, one after another, using the same information and the information obtained from the previous attempt.
Exploit is a breach of a system’s security through vulnerabilities, Zero-Day Attacks or any other hacking technique.
The term Doxing means publishing information, or a set of information, associated with an individual. This information is collected from publicly available databases, mostly social media and similar sources.
Payload refers to the actual section of information or data in a frame as opposed to automatically generated metadata. In information security, payload is a section or part of a malicious and exploited code that causes potentially harmful activities and actions such as exploiting, opening backdoors, and hijacking.
Bot is a software used to control the target remotely and to execute predefined tasks. It is capable of running automated scripts over the internet. Bots are also known as Internet Bots or Web Robots. These Bots can be used for social purposes, for example, chatterbots and live chats. Furthermore, they can also be used for malicious purposes in the form of malware. Malware bots are used by hackers to gain complete authority over a computer.
The National Institute of Standards and Technology (NIST) defines confidentiality as “Preserving authorized restrictions on information access and disclosure, while including means for protecting personal privacy and proprietary information”. We always want to make sure that our secret and sensitive data is secure. Confidentiality means that only authorized personnel can work with and see our infrastructure’s digital resources. It also implies that unauthorized persons should not have any access to the data. There are two types of data in general. First is data in motion, as it moves across the network, and data at rest, when the data is in any media storage (such as servers, local hard drives, the cloud). For data in motion, we need to ensure data encryption before sending it over the network. Another option, which we can use along with encryption, is to use a separate network for sensitive data. For data at rest, we can apply encryption on storage media drives so that it can’t read in the event of theft.
The NIST defines integrity as “Guarding against improper information modification or destruction, this includes ensuring information non-repudiation and authenticity”. We never want our sensitive and personal data to be modified or manipulated by unauthorized persons. Data integrity ensures that only authorized parties can modify data. NIST SP 800-56B defines data integrity as a property whereby data has not been altered in an unauthorized manner since it was created, transmitted or stored. In this Recommendation, the statement that a cryptographic algorithm “provides data integrity” means that the algorithm is used to detect unauthorized alterations.
Ensuring timely and reliable access to and use of information applying to systems and data is termed as Availability. If authorized personnel cannot access data due to general network failure or a Denial-of-Service (DOS) attack, then it is considered a critical problem from the point of view of business, as it may result in loss of revenue or of records of some important results.
We can use the term “CIA” to remember these basic yet most important security concepts.
|Confidentiality||Loss of privacy,
Unauthorized access to information & Identity theft
|Encryption, Authentication, Access Control|
|Integrity||Information is no longer reliable or accurate, Fraud||Maker/Checker, Quality Assurance, Audit Logs|
|Availability||Business disruption, Loss of customer’s confidence, Loss of revenue||Business continuity, Plans and tests Backup storage, Sufficient capacity|
Table 1-01: Risk and Its Protection by Implementing CIA
Authentication is the process of identifying credentials of authorized users or devices before granting privileges or access to a system or network, and enforcing certain rules and policies. Similarly, authenticity ensures the appropriateness of certain information and whether it has been initiated by a valid user who claims to be the source of that information. Authenticity can be verified through the process of authentication.
Figure 1-01: Elements of Information Security
Non-repudiation is one of the Information Assurance (IA) pillars. It guarantees the transmission and receiving of information between the sender and receiver via different techniques, such as digital signatures and encryption. Non-repudiation is the assurance of communication and its authenticity so that the sender is unable to deny the sent message. Similarly, the receiver cannot deny what she/he has received. Signatures, digital contracts, and email messages use non-repudiation techniques.
In a system, the level of security is a measure of the strength of a system’s Security, Functionality, and Usability. These three components form the Security, Functionality and Usability triangle. Consider a ball in this triangle—if the ball is sits in the center, it means all three components are stronger. On the other hand, if the ball is closer to Security, it means the system is consuming more resources for Security, and the system’s Function and Usability require attention. A secure system must provide strong protection along with offering complete services, features, and usability to the user.
Figure 1-02: Security, Functionality & Usability Triangle
Implementation of high level security typically impacts the level of functionality and ease of usability. High level security will quite often make the system nonuser-friendly and cause a decrease in performance. While deploying security in a system, security experts must ensure a reliable level of functionality and ease of usability. These three components of the triangle must always be balanced.
To penetrate information security, an attacker attacks the target system with three attack vectors in mind: Motive or objective, method, and vulnerability. These three components are the major blocks on which an attack depends.
- Motive or Objective: The reason an attacker focuses on a particular system
- Method: The technique or process used by an attacker to gain access to a target system
- Vulnerability: These help the attacker in fulfilling his intentions
An attacker’s notive or objective for attacking a system may be a thing of value stored in that specific system. It may be ethical or it may be non-ethical. However, there is always a goal for the hacker to achieve that leads to the threat to the system. Some typical motives behind attacks are information theft, manipulation of data, disruption, propagation of political or religious beliefs, attacks on the target’s reputation, or revenge. The method of attack and vulnerability run side by side. To achieve their motives, hackers use various tools and techniques to exploit a system once a vulnerability has been detected.
Figure 1-03: Information Security Attack
Cloud Computing Threats
Cloud computing has become a popular trend today. Its widespread implementation has exposed it to several security threats. Most of the threats are similar to those faced by traditionally hosted environments. It is essential to secure cloud computing for the purpose of protecting important and confidential data.
Following are some threats that exist in cloud security:
- In the environment of cloud computing, a major threat to cloud security is a single data breach that results in significant loss. It allows the hacker to have access to records; hence, a single breach may compromise all the information available on the cloud. It is an extremely serious situation as the compromise of a single record can lead multiple records being compromised
- Data loss is one of the most common potential threats that make cloud security vulnerable. Data loss may be due to intended or accidental means. It may be large scale or small scale; though massive data loss is catastrophic and costly
- Another major threat to cloud computing is the hijacking of an account or a service over the cloud. Applications running on a cloud with flaws, weak encryption, loopholes, and vulnerabilities allow the intruder to gain control, manipulate data, and alter the functionality of the service
Figure 1-04: Cloud Computing Threats
Furthermore, there are several other threats faced by cloud computing, which are as follows:
- Insecure APIs
- Denial of Services
- Malicious Insiders
- Poor SecurityMulti-Tenancy
Advanced Persistent Threats
An Advanced Persistent Threat (APT) is the process of stealing information through a continuous procedure. An advanced persistent threat usually focuses on private organizations or political motives. The APT process relies upon advanced and sophisticated techniques to exploit vulnerabilities within a system. The term “persistent” defines the process of an external command and controlling system, which continuously monitors and fetches data from a target. The term “threat” indicates the involvement of an attacker with potentially harmful intentions.
The characteristics of APT criteria are:
|Objectives||Motive or goal of threat|
|Timeliness||Time spent in probing & accessing the target|
|Resources||Level of knowledge & tools|
|Risk Tolerance||Tolerance to remain undetected|
|Skills & Methods||Tools & techniques used throughout the event|
|Actions||Precise action of threat|
|Attack Origination Points||Number of origination points|
|Numbers Involved in Attack||Number of internal & external systems involved|
|Knowledge Source||Discern information regarding threats|
Table 1-02: Advanced Persistent Threat Criteria
Viruses and Worms
The term virus in network and information security describes malicious software. This malicious software is designed to spread by attaching itself to other files. Attaching to other files helps it to transfer onto other systems. These viruses require user interaction to trigger, infect, and initiate malicious activities on the resident system.
Unlike viruses, worms are capable of replicating themselves. This ability of worms enables them to spread on a resident system very quickly. Worms have been propagated in different forms since the 1980’s. A few types of worms have emerged that are very destructive and are responsible for devastating DoS attacks.
Emerging mobile phone technology, especially smartphones, has raised the focus of attacks over mobile devices. As smartphones became popularly used all over the world, attackers’ focus shifted to stealing business and personal information through mobile devices. The most common threats to mobile devices are:
- Data Leakage
- Unsecure Wi-Fi
- Network Spoofing
- Phishing Attacks
- Broken Cryptography
- Improper Session Handling
An insider attack is the type of attack that is performed on a system, within a corporate network, by a trusted person. Trusted User is termed as “Insider” because an Insider has privileges and is authorized to access the network resources.
Figure 1-05: Insider Threats
Botnets are the group of bots connected through the internet to perform a distributed task continuously. They are known as the workhorses of the internet. These botnets perform repetitive tasks (Robot) over the internet (Network). Botnets are mostly used in Internet Relay Chats. These types of botnets are legal and useful.
A botnet may be used for positive intentions but there also some botnets that are illegal and intended for malicious activities. These malicious botnets can gain access to a system by using malicious scripts and codes, either through directly hacking the system or through a “Spider”. A Spider program crawls over the internet and searches for holes in security. Bots introduce the system to the hacker’s web by contacting the master computer. It alerts the master computer when the system is under control. Attackers remotely control all bots from the master computer.
Information Security Threat categories are as follows:
The primary components of network infrastructure are routers, switches, and firewalls. These devices not only perform routing and other network operations but they also control and protect the running applications, servers, and devices from attacks and intrusions. A poorly configured device allows an intruder to exploit targets. Common vulnerabilities that are present on a network include using default installation settings, open access controls, weak encryption and passwords, and devices lacking the latest security patches. Top network level threats include:
- Information Gathering
- Sniffing and Eavesdropping
- Session Hijacking
- Man-in-the-Middle Attack
- DNS and ARP Poisoning
- Password-based Attacks
- Denial-of-Services Attacks
- Compromised Key Attacks
- Firewall and IDS Attacks
Host threats are focused on system software. Applications such as Windows 2000, .NET Framework, SQL Server are built or run over this software. Host level Threats include:
- Malware Attacks
- Password Attacks
- Denial-of-Services Attacks
- Arbitrary Code Execution
- Unauthorized Access
- Privilege Escalation
- Backdoor Attacks
- Physical Security Threats
Best practice to analyze application threats is by organizing them into application vulnerability categories. Main threats to the application are:
- Improper Data / Input Validation
- Authentication and Authorization Attack
- Security Misconfiguration
- Information Disclosure
- Broken Session Management
- Buffer Overflow Issues
- Cryptography Attacks
- SQL Injection
Operating System Attacks
In Operating System Attacks, attackers always search for an Operating System’s vulnerabilities. If they find a vulnerability in the Operating System, they exploit it to attack the system. Some of the most common vulnerabilities of an Operating System are:
- Buffer Overflow Vulnerabilities
Buffer Overflow is one of the major types of Operating System Attack. It is related to software exploitation attacks. When a program or application does not have well-defined boundaries, such as restrictions or pre-defined functional areas regarding the capacity of data it can handle or the type of data that can be inputted, buffer overflow causes problems such as Denial of Service (DoS), rebooting, attaining unrestricted access, and freezing.
How does it occur?
- Due to an excess of data in the buffer memory
- When a program or process attempts to write more data to a fixed length block of memory (a buffer)
- Coding errors
How to prevent it?
Open Web Application Security Project (OWASP) defines a number of general techniques to prevent buffer overflows include:
- Code auditing (automated or manual)
- Developer training – bounds checking, use of unsafe functions, and group standards
- Non-executable stacks – many operating systems have at least some support for this
- Compiler tools – StackShield, StackGuard, and Libsafe, among others
- Safe functions – use strncat instead of strcat, strncpy instead of strcpy, etc
- Patches – Be sure to keep your web and application servers fully patched, and be aware of bug reports relating to applications upon which your code is dependent.
- Periodically scan your application with one or more of the commonly available scanners that look for buffer overflow flaws in your server products and your custom web applications.
- Bugs in the Operating System
In a Software Exploitation Attack, attackers find a bug in the software and exploit it. This vulnerability might be a mistake by the developer while developing the program code. Attackers can discover these mistakes and use them to gain access to the system.
- Unpatched Operating System
Unpatched Operating Systems allow malicious activities or fail to completely block malicious traffic from entering into a system. Successful intrusions can impact severely in the form of compromising sensitive information, data loss and disruption of regular operation.
In a corporate network, while installing new devices, the administrator must change the default configurations. If devices are left on default configuration, any user who does not have the privilege to access the device but has connectivity, can access it using default credentials. It is not a big deal for an intruder to access such devices because the default configuration has common and weak passwords and there are no security policies enabled on devices by default.
Similarly, permitting an unauthorized person or giving resources and permission to a person beyond the privileges, might also lead to an attack. Additionally, using the organization’s name as a username or password makes it easier for hackers to guess the credentials.
Application Level Attacks
Before releasing an application, developers must make sure to test and verify it from their end. In an Application Level Attack, a hacker can use:
- Buffer Overflow
- Active Content
- Cross-Site Script
- Denial of Service
- SQL Injection
- Session Hijacking
Shrink Wrap Code Attacks
A Shrink Wrap Code Attack is the type of attack in which hackers use the shrink wrap code method for gaining access to a system. In this type of attack, hackers exploit holes in unpatched Operating Systems and poorly configured software and applications. To understand shrink wrap vulnerabilities, consider an Operating System that has a bug in its original software version. The vendor may have released the update, but the time between the release of a patch by the vendor and the client’s system updates is very critical. During this critical time, unpatched systems are vulnerable to the Shrinkwrap attack. Shrinkwrap attacks also exploit vulnerable software in an Operating System, bundled with insecure test pages and debugging scripts. The developer must remove these scripts before releasing the software.
Information warfare is a concept of warfare over control of information. The term, “Information Warfare” or “Info War” describes the use of Information and Communication Technology (ICT) to get a competitive advantage over an opponent or rival. Information warfare is classified into two types:
- Defensive Information Warfare
The term “Defensive Information Warfare” is used to refer to all defensive actions that are taken to protect oneself from attacks executed to steal information and information-based processes. Defensive Information warfare areas are:
- Indication and Warning
- Emergency Preparedness
- Offensive Information Warfare
Offensive warfare is an aggressive operation that is taken against a rival proactively rather than waiting for the attackers to launch an attack. Accessing their territory to occupy it rather than lose it is the fundamental concept of offensive warfare. During offensive warfare, the opponent and his strategies are identified, and the attacker makes the decision to attack based on the available information. Offensive Information warfare prevents information from being used by considering integrity, availability, and confidentiality.
A Hacker is a person capable of stealing information such as business data, personal data, financial information, credit card information, username and password from a system she or he has no authorized access to. An attacker gains access by taking unauthorized control over that system using different techniques and tools. They have great skills and abilities for developing software and exploring both software and hardware. There can be several reasons for hacking, the most common ones being fun, money, thrills or a personal vendetta.
Figure 1-06: Types of Hacker
The term hacking in information security refers to exploiting vulnerabilities in a system and compromising the security to gain unauthorized command and control of the system. The purpose for hacking may include alteration of a system’s resources or disruption of features and services to achieve other goals. Hacking can also be used to steal confidential information for any use such as sending it to competitors, regulatory bodies, or publicizing it.
The following are the five phases of hacking:
- Gaining Access
- Maintaining Access
- Clearing Tracks
Reconnaissance is an initial preparation phase for the attacker to prepare for an attack by gathering information about the target prior to launching an attack using different tools and techniques. Gathering information about the target makes it easier for an attacker. It helps to identify the target range for large scale attacks.
In Passive Reconnaissance, a hacker acquires information about the target without directly interacting with the target. An example of passive reconnaissance is searching social media to obtain the target’s information.
Active Reconnaissance is gaining information by directly interacting with the target. Examples of active reconnaissance include interacting with the target via calls, emails, help desk, or technical departments.
Scanning is a pre-attack phase. In this phase, an attacker scans the network through information acquired during the initial phase of reconnaissance. Scanning tools include diallers, scanners such as port scanners, network mappers, and client tools such as ping, as well as vulnerability scanners. During the scanning phase, attackers finally fetch the ports’ information including port status, Operating System information, device type, live machines, and other information depending on scanning.
This phase of hacking is the point where the hacker gains control over an Operating System (OS), application, or computer network. The control gained by the attacker defines the access level, whether the Operating System level, application level, or network level. Techniques include password cracking, denial of service, session hijacking, buffer overflow, or other techniques used for gaining unauthorized access. After accessing the system, the attacker escalates the privileges to a point to obtain complete control over services and processes and compromise the connected intermediate system.
Maintaining Access / Escalation of Privileges
The maintaining access phase is the point where an attacker tries to maintain access, ownership, and control over the compromised systems. The hacker usually strengthens the system in order to secure it from being accessed by security personnel or some other hacker. They use Backdoors, Rootkits or Trojans to retain their ownership. In this phase, an attacker may either steal information by uploading it to the remote server, download any file on the resident system, or manipulate the data and configuration settings. To compromise other systems, the attacker uses this compromised system to launch attacks.
An attacker must hide his identity by clearing or covering tracks. Clearing tracks is an activity that is carried out to hide malicious activities. If attackers want to fulfil their intentions and gain whatever they want without being noticed, it is necessary for them to wipe all tracks and evidence that can possibly lead to their identity. In order to do so, attackers usually overwrite the system, applications, and other related logs.
Ethical hacking and penetration testing are common terms and have been popular in information security environment for a long time. The increase in cybercrimes and hacking has created a great challenge for security experts, analysts, and regulations over the last decade. The virtual war between hackers and security professionals has become very common.
Fundamental challenges faced by security experts include finding weaknesses and deficiencies in running upcoming systems, applications, or software and addressing them proactively. It is less costly to investigate before an attack occurs than investigating after facing an attack, or while dealing with an attack. For the purpose of security and protection, organizations appoint internal teams as well as external experts for penetration testing. This usually depends on the severity and scope of the attack.
The rising number of malicious activities and cybercrimes and appearance of different forms of advanced attacks has created the need for ethical hacking. An ethical hacker penetrates security of systems and networks in order to determine their security level and advise organizations to take precautions and remediation actions against aggressive attacks. These aggressive and advanced attacks include:
- Denial-of-Services Attacks
- Manipulation of Data
- Identity Theft
- Credit Card Theft
- Theft of Services
The increase in these types of attacks, hacking cases, and cyber attacks is mainly due to the increase in the use of online transactions and online services over the last decade. It has become much easier for hackers to steal financial information. Cybercrime law has only managed to slow down prank activities, whereas real attacks and cybercrimes have risen. Ethical hacking focuses on the requirement of a pen-tester, penetration tester in short, who searches for vulnerabilities and flaws in a system before it is compromised.
If you want to win in the war against attackers or hackers, you have to be smart enough to think and act like them. Hackers are extremely skilled and they possess great knowledge of hardware, software, and exploration capabilities. Therefore, ethical hacking has become essential. An ethical hacker is able to counter malicious hackers’ attacks by anticipating their methods. Ethical hacking is also needed to uncover the vulnerabilities in systems and security controls to secure them before they are compromised.
Ethical Hacking is an important and crucial component of risk assessment, auditing, and of countering fraud. Ethical hacking is widely used as penetration testing to identify vulnerabilities and risks and highlight loopholes in order to take preventive action against attacks. However, there are some limitations to ethical hacking. In some cases, ethical hacking is insufficient for resolving the issue. For example, before hiring an external pentester, an organization must first figure out what it is looking for. This helps in achieving goals and saving time, as then the testing team can focus on troubleshooting the actual problem and resolve the issues. The ethical hacker also helps to understand the security system of an organization better. It is up to the organization to take the action recommended by the pentester and enforce security policies over the system and network.
Ethical Hacking is the combination of the following phases:
- Footprinting and Reconnaissance
- System Hacking
- Escalation of Privileges
- Covering Tracks
An expert ethical hacker has a set of technical and non-technical skills, as outlined below:
- Ethical Hackers have in-depth knowledge of almost all Operating Systems, including all popular, widely-used OSes such as Windows, Linux, Unix, and Macintosh.
- Ethical hackers are skilled at networking, basic and detailed concepts, technologies, and exploring capabilities of hardware and software.
- Ethical hackers have a strong command over security areas, information security related issues, and technical domains.
- They must have detailed knowledge of all older, advanced and sophisticated attacks.
- Learning ability
- Problem-solving skills
- Communication skills
- Committed to security policies
- Awareness of laws, standards, and regulations
Information Assurance, in short IA, depends upon Integrity, Availability, Confidentiality, and Authenticity. Combining these components guarantees the assurance of information and information systems and their protection during usage, storage, and communication. These components have already been defined earlier in this chapter.
Apart from these components, some methods and processes also help in the achievement of information assurance, for example:
- Policies and Processes
- Network Authentication
- User Authentication
- Network Vulnerabilities
- Identifying Problems
- Implementation of a Plan for Identified Requirements
- Enforcement of IA Contro
Information Security Management programs are specially designed to focus on reducing the risks and vulnerabilities concerning the information security environment. This is done in order to train organizations and users to work in less vulnerable states. Information Security Management is a combined management solution to achieve the required level of information security using well-defined security policies as well as processes of classification, reporting, and management standards. The diagram below shows the EC-Council defined Information Security Management Framework:
Figure 1-07: Information Security Management Framework
Threat Modeling is the process or approach to identifying, diagnosing, and assessing the threats and vulnerabilities of a system or application. It is an approach of threat assessment dedicated to focussing on analyzing the systems and applications while considering the security objectives. This identification of threats and risks helps to validate security and enables an organization to take remedial action to achieve the specified objectives of the application. The process of Threat Modeling includes capturing data, and implementing the controls for identification and assessment of the captured packets to analyze the impact in case of compromise. Application overview includes the identification process of an application to determine the trust boundaries and data flow. Decomposition of an application and identification of threats helps to create a detailed review of threats that are breaching the security control. This identification and detailed review of every aspect exposes the vulnerabilities and weaknesses of the information security environment.
Figure 1-08: Threat Modeling
Enterprise Information Security Architecture is the combination of requirements and processes that helps in determining, investigating, and monitoring the structure of the behavior of an information system. The following are the goals of EISA:
Figure 1-09: Enterprise Information Security Architecture (EISA)
Managing and deploying an organization’s architecture in different security zones is called Network Security Zoning. These security zones are a set of network devices with a specific security level. Different security zones may have a similar or different security level. Defining different security zones with their security levels helps in monitoring and controlling inbound and outbound traffic across the network.
Figure 1-10: Network Security Zoning
Information Security Policies are the fundamental and most dependent component of any information security infrastructure. Fundamental security requirements, conditions, and rules are configured to be enforced in an information security policy to secure the organization’s resources. These policies cover the outlines of management, administration and security requirements within an information security architecture.
Note: Information Security Policy (ISP) is the set of rules and policies for users or employees to comply with issued by an organization.