eBook - ePub
Cybersecurity
A Practical Engineering Approach
Henrique M. D. Santos
This is a test
Compartir libro
- 314 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Cybersecurity
A Practical Engineering Approach
Henrique M. D. Santos
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
Cybersecurity: A Practical Engineering Approach introduces the implementation of a secure cyber architecture, beginning with the identification of security risks. It then builds solutions to mitigate risks by considering the technological justification of the solutions as well as their efficiency. The process follows an engineering process model. Each module builds on a subset of the risks, discussing the knowledge necessary to approach a solution, followed by the security control architecture design and the implementation. The modular approach allows students to focus on more manageable problems, making the learning process simpler and more attractive.
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Cybersecurity un PDF/ePUB en línea?
Sí, puedes acceder a Cybersecurity de Henrique M. D. Santos en formato PDF o ePUB, así como a otros libros populares de Informatique y Cybersécurité. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
CHAPTER 1 Cybersecurity Fundamentals
DOI: 10.1201/9780429286742-1
“Alice: Would you tell me, please, which way I ought to go from here?Cat: That depends a good deal on where you want to get to.Alice: I don't much care where—Cat: Then it doesn't matter which way you go.”– Lewis Carroll, Alice in Wonderland
1.1 Summary
Cybersecurity is becoming a central issue to any Information System utilization, affecting everything we interact with nowadays. In a simple way, it starts with the identification of security properties we want to preserve, the main threats that can affect those properties, the weaknesses of the target system, and the techniques and procedures we can use to mitigate those threats. However, given the dynamics of the overall system and the surround, it is still necessary to keep an eye on the security properties and protection mechanism, measuring all possible security indicators in a continuous and manageable way. It sounds like a model, right? And it is.
Among the proposals to address the above process, the family of standards known as ISO/IEC 27k describes all the main components, even addressing different contexts, and deserving the acceptance of a large community by its nature. There are some alternatives focusing on some particular systems details, but the 27k model is generic enough to allow the deployment of flexible and effective information security management systems. Despite the apparent simplicity of the task, the subjectively of some security objectives, and the intrinsic difficulty of measuring most security controls' efficiency, deploying a proper Cybersecurity program can be a nightmare.
This chapter starts by describing the main concepts and definitions, and purposes a simple model based on the ISO/IEC 27001 standard aimed to allow an easier approach (specially crafted for small implementations) and a better understanding of the overall process in the way to promote the engineering of more adequate security solutions. The related skills are exercised using a typical case study. After that, and as part of the Cybersecurity Engineer toolbox, a laboratory based on virtualization technologies is described in a tutorial fashion. This lab will be used along with the book.
1.2 Introduction
Security can be simply defined as a process aiming to protect something (a system) against threats, like attacks, accidents, or any other type of event that can produce damage. In the context of this book, by ‘system’ we are restricting to Information Systems in general, including computer systems, networks, users, and the information they handle. By protection, we mean to minimize the impact of failures (their damages), keeping the system working as long as possible and fulfilling the requirements (both functional and non-functional) as much as possible. We are not considering the effects of the system failures in its environment, nor any appreciation of external perceptions, like reliability, for example. We are mainly concerned with information, while a central asset of Information Systems. This is basically what Information Security (InfoSec) is about.
Notwithstanding the simplicity of the above definition, putting together such a process is a daunting task. Besides requiring a deep knowledge of the complex and diverse technology used nowadays to design and build all the types of digital equipment in question (by itself, it is behind the capacity of any single person), it also demands an enlarge understanding of the highly complex threats landscape, and even a ground knowledge of business models, legal frameworks and human behavior (both legitimate and malicious users). Furthermore, with the technological evolution, as well as the social-economic turbulence of our days (and, most likely, of future eras), there is a trend for systems and threats becoming more complex. In short, system engineering with Cybersecurity objectives in mind means to aim for more dependable systems [7, p. 20]. Simple to state, (very) hard to make happen.
It is useful to look back, where it all began, to understand better why we are here and what the future may bring us, concerning Cybersecurity. In the beginning of the IT era (on the ’50s), with a few computer centers available in easy-to-control physical spaces, and used for particular purposes, InfoSec was mostly a matter of controlling carefully the physical access, limited to a few groups of specialized operators, and monitoring a single computer facility. Easy task. In just a few decades, and mostly for economical reasons, we evolved first to time-sharing systems, allowing several users to use the system, at the same time, but still confined to the same building. InfoSec became more difficult, but even feasible, being additionally necessary supervising and control a limited number of room spaces and the users entering and leaving and the paper listings they carried – there were no external storage devices at that time.
The next step, promoting flexibility, ease-of-access and new business opportunities, was to deploy and explore fully distributed Information Systems. They become supported by a global Internet1 (slowly but steadily integrating all communication technologies), operated by virtually any human being, or even any machine (the emerging Internet of Things – IoT – paradigm), through a plethora of heterogeneous devices, using incredibly complicated (and economically almost impossible to test) software and protocol stacks, and used to support nearly all aspects of human life (social, professional, and leisure). Understandably, InfoSec has become an impressive task, very complex, as well as critical. The worst part of it, potentially cutting business exploration by limiting flexibility.
_________________________
1The expansion of the Internet has been followed and documented by some interesting projects, one of the most well-known is the ‘Internet Mapping Project’ (see https://en.wikipedia.org/wiki/Internet_Mapping_Project). One of the outcomes is Lumeta (https://www.firemon.com/products/lumeta/) that provides useful information about the global Internet.
Given the scope, the community naturally began to use the prefix Cyber, merely seeking to convey the idea of the magnitude, but without significantly altering its fundamentals. Therefore, talking about Cybersecurity or InfoSec, at the level of the fundamentals is no different, being only relevant when analyzing specific contexts or technologies. But indeed, a highly demanding job, from all the engineering, operating, and managing perspectives.
Over the past few decades, Cybersecurity problems have been alarmingly accentuated. After calling the interest of ‘harmless’ hackers (frequently young students, or self-taught technicians, driven by curiosity or just the challenge), the rapid increase in profit from Cybercrime, coupled with a relatively low-risk perception of being caught, began to attract organized criminal groups. Contributing to this trend is also the development of increasingly sophisticated attack tools frameworks, requiring (also) increasingly low technical skills to operate.
It is therefore not surprising to notice a rise in news related to cyber attacks, targeting all types of organizations and even individuals, accompanied by a remarkable effort by different institutions to put in place an influential security culture. As an example of this effort, in Europe ENISA2 organizes a Cybersecurity month (with several events to raise Cybersecurity awareness in general), promotes standards, regulations, projects, policies, strategies, a multinational cyber-exercise, a network of emergency response centers (CERTs3), and periodic reports that expose the main dangers and trends [36, 160] – see the example in Figure 1.1. The same effort is very evident in the USA, mainly through NIST4, in many other countries and even in organizations of broad scopes, such as the NATO's Cyber Security Centre5, a specialized unit within the NATO's NCI Agency. Unfortunately, these efforts appear to be much more reactive than proactive, which makes cybersecurity professionals seem to be chasing the damage instead of the cause, most of the time.
Figure 1.1: Example of the threat landscape provided by ENISA, for 2018 [160]
This scenario's foreseeable evolution doe...