eBook - ePub
Cybersecurity
A Practical Engineering Approach
Henrique M. D. Santos
This is a test
- 314 pagine
- English
- ePUB (disponibile sull'app)
- Disponibile su iOS e Android
eBook - ePub
Cybersecurity
A Practical Engineering Approach
Henrique M. D. Santos
Dettagli del libro
Anteprima del libro
Indice dei contenuti
Citazioni
Informazioni sul libro
Cybersecurity: A Practical Engineering Approach introduces the implementation of a secure cyber architecture, beginning with the identification of security risks. It then builds solutions to mitigate risks by considering the technological justification of the solutions as well as their efficiency. The process follows an engineering process model. Each module builds on a subset of the risks, discussing the knowledge necessary to approach a solution, followed by the security control architecture design and the implementation. The modular approach allows students to focus on more manageable problems, making the learning process simpler and more attractive.
Domande frequenti
Come faccio ad annullare l'abbonamento?
È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui
È possibile scaricare libri? Se sì, come?
Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui
Che differenza c'è tra i piani?
Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.
Cos'è Perlego?
Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.
Perlego supporta la sintesi vocale?
Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.
Cybersecurity è disponibile online in formato PDF/ePub?
Sì, puoi accedere a Cybersecurity di Henrique M. D. Santos in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Computer Science e Cyber Security. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.
Informazioni
CHAPTER 1 Cybersecurity Fundamentals
DOI: 10.1201/9780429286742-1
“Alice: Would you tell me, please, which way I ought to go from here?Cat: That depends a good deal on where you want to get to.Alice: I don't much care where—Cat: Then it doesn't matter which way you go.”– Lewis Carroll, Alice in Wonderland
1.1 Summary
Cybersecurity is becoming a central issue to any Information System utilization, affecting everything we interact with nowadays. In a simple way, it starts with the identification of security properties we want to preserve, the main threats that can affect those properties, the weaknesses of the target system, and the techniques and procedures we can use to mitigate those threats. However, given the dynamics of the overall system and the surround, it is still necessary to keep an eye on the security properties and protection mechanism, measuring all possible security indicators in a continuous and manageable way. It sounds like a model, right? And it is.
Among the proposals to address the above process, the family of standards known as ISO/IEC 27k describes all the main components, even addressing different contexts, and deserving the acceptance of a large community by its nature. There are some alternatives focusing on some particular systems details, but the 27k model is generic enough to allow the deployment of flexible and effective information security management systems. Despite the apparent simplicity of the task, the subjectively of some security objectives, and the intrinsic difficulty of measuring most security controls' efficiency, deploying a proper Cybersecurity program can be a nightmare.
This chapter starts by describing the main concepts and definitions, and purposes a simple model based on the ISO/IEC 27001 standard aimed to allow an easier approach (specially crafted for small implementations) and a better understanding of the overall process in the way to promote the engineering of more adequate security solutions. The related skills are exercised using a typical case study. After that, and as part of the Cybersecurity Engineer toolbox, a laboratory based on virtualization technologies is described in a tutorial fashion. This lab will be used along with the book.
1.2 Introduction
Security can be simply defined as a process aiming to protect something (a system) against threats, like attacks, accidents, or any other type of event that can produce damage. In the context of this book, by ‘system’ we are restricting to Information Systems in general, including computer systems, networks, users, and the information they handle. By protection, we mean to minimize the impact of failures (their damages), keeping the system working as long as possible and fulfilling the requirements (both functional and non-functional) as much as possible. We are not considering the effects of the system failures in its environment, nor any appreciation of external perceptions, like reliability, for example. We are mainly concerned with information, while a central asset of Information Systems. This is basically what Information Security (InfoSec) is about.
Notwithstanding the simplicity of the above definition, putting together such a process is a daunting task. Besides requiring a deep knowledge of the complex and diverse technology used nowadays to design and build all the types of digital equipment in question (by itself, it is behind the capacity of any single person), it also demands an enlarge understanding of the highly complex threats landscape, and even a ground knowledge of business models, legal frameworks and human behavior (both legitimate and malicious users). Furthermore, with the technological evolution, as well as the social-economic turbulence of our days (and, most likely, of future eras), there is a trend for systems and threats becoming more complex. In short, system engineering with Cybersecurity objectives in mind means to aim for more dependable systems [7, p. 20]. Simple to state, (very) hard to make happen.
It is useful to look back, where it all began, to understand better why we are here and what the future may bring us, concerning Cybersecurity. In the beginning of the IT era (on the ’50s), with a few computer centers available in easy-to-control physical spaces, and used for particular purposes, InfoSec was mostly a matter of controlling carefully the physical access, limited to a few groups of specialized operators, and monitoring a single computer facility. Easy task. In just a few decades, and mostly for economical reasons, we evolved first to time-sharing systems, allowing several users to use the system, at the same time, but still confined to the same building. InfoSec became more difficult, but even feasible, being additionally necessary supervising and control a limited number of room spaces and the users entering and leaving and the paper listings they carried – there were no external storage devices at that time.
The next step, promoting flexibility, ease-of-access and new business opportunities, was to deploy and explore fully distributed Information Systems. They become supported by a global Internet1 (slowly but steadily integrating all communication technologies), operated by virtually any human being, or even any machine (the emerging Internet of Things – IoT – paradigm), through a plethora of heterogeneous devices, using incredibly complicated (and economically almost impossible to test) software and protocol stacks, and used to support nearly all aspects of human life (social, professional, and leisure). Understandably, InfoSec has become an impressive task, very complex, as well as critical. The worst part of it, potentially cutting business exploration by limiting flexibility.
_________________________
1The expansion of the Internet has been followed and documented by some interesting projects, one of the most well-known is the ‘Internet Mapping Project’ (see https://en.wikipedia.org/wiki/Internet_Mapping_Project). One of the outcomes is Lumeta (https://www.firemon.com/products/lumeta/) that provides useful information about the global Internet.
Given the scope, the community naturally began to use the prefix Cyber, merely seeking to convey the idea of the magnitude, but without significantly altering its fundamentals. Therefore, talking about Cybersecurity or InfoSec, at the level of the fundamentals is no different, being only relevant when analyzing specific contexts or technologies. But indeed, a highly demanding job, from all the engineering, operating, and managing perspectives.
Over the past few decades, Cybersecurity problems have been alarmingly accentuated. After calling the interest of ‘harmless’ hackers (frequently young students, or self-taught technicians, driven by curiosity or just the challenge), the rapid increase in profit from Cybercrime, coupled with a relatively low-risk perception of being caught, began to attract organized criminal groups. Contributing to this trend is also the development of increasingly sophisticated attack tools frameworks, requiring (also) increasingly low technical skills to operate.
It is therefore not surprising to notice a rise in news related to cyber attacks, targeting all types of organizations and even individuals, accompanied by a remarkable effort by different institutions to put in place an influential security culture. As an example of this effort, in Europe ENISA2 organizes a Cybersecurity month (with several events to raise Cybersecurity awareness in general), promotes standards, regulations, projects, policies, strategies, a multinational cyber-exercise, a network of emergency response centers (CERTs3), and periodic reports that expose the main dangers and trends [36, 160] – see the example in Figure 1.1. The same effort is very evident in the USA, mainly through NIST4, in many other countries and even in organizations of broad scopes, such as the NATO's Cyber Security Centre5, a specialized unit within the NATO's NCI Agency. Unfortunately, these efforts appear to be much more reactive than proactive, which makes cybersecurity professionals seem to be chasing the damage instead of the cause, most of the time.
Figure 1.1: Example of the threat landscape provided by ENISA, for 2018 [160]
This scenario's foreseeable evolution doe...