Courses / Security Fundamentals

Introduction to Information Security

Overview of the lesson

We cannot start a meaningful exploration of computer security without defining the subject itself. Hence, in this lesson, we will outline several terms that security people use all the time.

What you'll learn

  • What security is and why it is important.
  • Basic security literacy.

So far, we discussed all kinds of technical topics on this platform: what web applications are, how they work, what is a server and the list can go on. But nothing about security. Here is the good news — the waiting has ended! In this course, we will explore the core principles of computer security, what makes an application vulnerable, different defense mechanisms, and many others!

Prerequisites None.
Objective To understand what security is and learn several terms that are used in security industry.

However, we cannot start a meaningful exploration of computer security without defining the subject itself. So, let’s begin the discussion by answering the most obvious question: what is security?

What is security?

Whether you work in the IT industry or not, you probably noticed that security buzzwords come and go in the media. They are all over the Internet — a new data breach here, a malware or phishing campaign there, millions of devices at risk due to a security bug, financial information of thousands stolen, social media accounts of a large company got hacked. But what’s this “security” thing that people keep talking about?

Let's consult the dictionaries:

Security: the quality or state of being secure such as
a: freedom from danger : SAFETY
b: freedom from fear or anxiety
c: freedom from the prospect of being laid off //job security

Secure:
a: free from danger
b: affording safety //a secure hideaway
c: TRUSTWORTHY, DEPENDABLE //a secure foundation
d: free from risk of loss

Merriam-Webster

Security:
a: freedom from risk and the threat of change for the worse
b: freedom from danger; safety

Oxford Dictionary

So, we can say that security is freedom from danger, a threat, or a risk. In the context of information security, it refers to the risks, threats, and dangers related to computing devices such as computers, smartphones, IoT, servers, networks, but also covers the data stored on these devices.

The primary goal of security is simple: to make sure that technology does only what it is supposed to, and nothing else. Security's job is not necessarily to stop hackers and prevent breaches but to work towards the same goal as the rest of the company and help the business move forward. For instance, if the company's goal is to make money, the security department should make sure that the organization doesn't lose money due to a lack of security measures.

Each industry has its own jargon terms, and security makes no exception. In this field, you will often encounter terms such as vulnerability, attack, threat, exploit, and the list can go on. So, before diving deeper into your learning journey, it is imperative to make sure we all talk the same language. Don't worry — we won't overwhelm you with all of it (we have a glossary for that). We'll cover additional terms and technologies in more detail as we explore further.

What is a vulnerability?

A vulnerability is a weakness of a system that allows an attacker to perform unauthorized actions such as viewing sensitive data of other users, destroy or modify data. Vulnerabilities are, in most cases, caused accidentally by our fallible ability to design secure systems.

Over time, studies suggested that the number of vulnerabilities grows with the complexity of a system. Other studies showed this correlation is vague and almost impossible to demonstrate [1] [2] [3]. While the relationship between complexity and vulnerabilities can’t be generalised, there is one thing we can be sure of — there is no absolutely secure system.

What is an attack?

Vulnerabilities, by their nature, are to be discovered. They simply exist in software — but until one finds and uses them, they are latent.

A cyber attack is when an attacker uses a vulnerability to gain unfair benefitse.g., financial, social, cheat access controls, or inflict damage on systems. Usually, it is a multi-step process. To make things easier to understand, we will use an example in which an attacker wants to get access to someone else’s account on uphack.io. Here are the steps involved:

  1. Reconnaissance — everything starts when the attacker innocuously gathers informationFor instance, an attacker may analyse how the reset password feature works. To do so, he will request a recovery code, just like a typical user. At this stage, everything seems legit and the attack cannot be detected. about the targeted feature.
  2. Weaponization — Once the attacker understands the underlying principle behind the targeted feature, he comes up with different attack scenarios to confirm if a vulnerability exists. Here are just a few hypotheses:
    • If the recovery code is short (e.g., four digits), he may be able to guess it by tests all 8999 possible codes (1000-9999)
      Note:
      Here is an example where programming can be useful. Testing 9999 codes manually may take a while, but a ten-line Python script can do it in a matter of seconds.
    • Maybe the application is vulnerable to SMTP header injection, and the recovery link could be redirected to the attacker’s email address.
    • Maybe the application’s behavior could be changed by altering the HTTP request (e.g., changing the Host header).
    • Maybe the reset password feature is vulnerable to SQL Injection.
      Note:
      An attack is a single-contained attempt to exploit a specific vulnerability. Hence, each of the above scenarios is an independent attack attempt.
  3. Profit — if one or more attack scenarios works, then the attacker found a vulnerability. He can further use it in his own interests.

Who is the attacker?

In the last few years, many great security tools emerged. Some of them even made the exploitation of specific vulnerabilities (e.g., SQL Injection) as easy as inserting the target URL and pressing the Start button. While their purpose was to speed up the job of ethical hackers, some people used them as their primary weapon to substitute the competence and actual security knowledge.

Such people are called script-kiddies. They lack the expertise and solely rely on already existing hacking tools to hack into systems without even understanding how these tools work or what’s going on behind the scenes. Motivated by curiosity, mischievous, or simply to show-off, they are opportunistic attackers that don’t have a target in mind. Instead, they use automated scanners to find targets vulnerable to low-hanging vulnerabilities.

Fun fact:
By the way, have you noticed that our first level badge illustrates a carrot? That’s a reference to the logo of a well know hacking tool called Havij.

Next, there are cybercriminals or hackers. In contrast to skiddies, a hacker is usually highly skilled, operating individually, or as a part of criminal organisations. Motivated by financial gains, they are interested in financial information or a large number of personally identifiable information (PII) that can be sold on the black market. Hackers are usually opportunistic attackers, but they can be much more patient, persistent, well-funded, and stealth compared to skiddies.

On the top of the chain are the state-sponsored attackers. They could have unlimited patience and funding to achieve their purpose, and are motivated by either the political, commercial, or military interests of their country, instead of financial gain. This type of attacker targets critical infrastructures and services of a country. This includes — but not limited to — fuel pipelines, power grids, nuclear reactors, healthcare, or financial sectors. One example of such an attack is Stuxnet — a malicious worm designed to sabotage Iran’s nuclear program.

What is an exploit?

An exploit is a tool, a method, or a command that allows an attacker to take advantage of a vulnerability.

What is a threat?

A security threat refers to anything that can put a system or its information at risk. This includes viruses, backdoors, vulnerabilities, and even natural disasters.

But what’s the difference between an attack and a thread then?

A threat is a circumstance that has the potential to inflict harm, while an attack is the attempt to cause damage. Here is a simple example to illustrate this.

If you don’t regularly update your operating system to the latest version, your computer may have lots of vulnerabilities. The fact that one day an attacker could target your computer because you don’t update your OS represents a threat. Once an attacker founds out your system is vulnerable, he will attempt to exploit it. That is an attack.

So, let’s recap: A threat is any bad thing that can happen to a system. A threat exists because there is a vulnerability; hence, a vulnerability makes a threat possible. An attack is a deliberate attempt to exploit that vulnerability.

What is risk?

Risk is the likelihood of a threat to transform into an attack. Also, it refers to the harm that such an attack would cause. The commonly used formula to calculate the risk is the probability of a threat multiplied by the chances of a vulnerability to exists multiplied by the maximum impact of a successful attack:

Risk = Thread * Vulnerability * Impact/Severity

The impact of a vulnerability depends on the likelihood that it will be successfully exploited. In contrast, likelihood depends on the existing security mechanisms, the difficulty of the attack, and the type of potential attacks. For example, an SQL Injection vulnerability is considered highly dangerous as it is both easy to find and exploit, and can have a serious impact.

Conclusion

This lesson, hopefully, sheds some light on what computer security is and the terms commonly used in this industry. While many other concepts need to be explained, we'll cover them in the next lessons, as we explore further.

Next lessons View all
Security Fundamentals

Foundations of Information Security - CIA Triad

Confidentiality, Integrity, and Availability are the cornerstones of Information Security. These principles are so fundamental that anytime a cybersecurity incident occurs, one of these principles has been compromised. 

Read now
Security Fundamentals

Access Controls: Authentication and Authorization

Data is one of the most valuable assets of modern businesses. Engineers can ensure data integrity and confidentiality through various techniques such as cryptography or access controls.

Read now
Security Fundamentals

Authentication in Web Applications

When it comes to user authentication, web developers have several good options. In this lesson, we will compare two of the most used...

Read now