2. Key Security Concepts - CIA
Confidentiality
• Preserving authorized
restrictions on
information access and
disclosure, including
means for protecting
personal privacy and
proprietary information
Integrity
• Guarding against
improper information
modification or
destruction, including
ensuring information
nonrepudiation and
authenticity
Availability
• Ensuring timely and
reliable access to and
use of information
To complete the picture:
1. Authenticity
2. Accountability 2
3. Levels of Impact
Low
The loss could be
expected to have a
limited adverse
effect on
organizational
operations,
organizational
assets, or individuals
Moderate
The loss could be
expected to have a
serious adverse
effect on
organizational
operations,
organizational
assets, or individuals
High
The loss could be
expected to have a
severe or
catastrophic
adverse effect on
organizational
operations,
organizational
assets, or
individuals
3
4. Vulnerabilities, Threats and Attacks
• Vulnerabilities
• Corrupted (loss of integrity)
• Leaky (loss of confidentiality)
• Unavailable or very slow (loss of availability)
4
• Threats
• Capable of exploiting vulnerabilities
• Represent potential security harm to an asset
• Attacks (threats carried out)
• Passive – attempt to learn or make use of information from the
system that does not affect system resources
• Active – attempt to alter system resources or affect their operation
• Insider – initiated by an entity inside the security parameter
• Outsider – initiated from outside the perimeter
5. Passive and Active Attacks
Passive Attack Active Attack
• Attempts to learn or make use of
information from the system but
does not affect system resources
• Eavesdropping on, or monitoring
of, transmissions
• Goal of attacker is to obtain
information that is being
transmitted
• Two types:
– Release of message contents
– Traffic analysis
• Attempts to alter system
resources or affect their
operation
• Involve some modification of
the data stream or the creation
of a false stream
• Four categories:
– Replay
– Masquerade
– Modification of messages
– Denial of service
5
6. Countermeasures
Dealing with security
attacks
• Prevent
• Detect
• Recover
May itself introduce new
vulnerabilities
Residual vulnerabilities
may remain
Goal is to minimize
residual level of risk to
the assets
6
7. Trends have shaped cybersecurity
• The increasing economic value of information
• Computer networks are is part of the critical national framework
• Third parties control information not under our control
• Criminalisation of the internet
• Ever increasing complexity of networks
• Slower patching, faster exploits
• Sophistication of threats
• End user as attacker
• Regulatory pressure
Adapted from Scheiner (2006)
7
Video: https://www.youtube.com/watch?v=AuYNXgO_f3Y
8. Rationale for Protection
• Cybersecurity is required in order to protect systems, data and information
• We need to understand what the data and information is worth in order to
determine the appropriate level of protection
• Value can be defined or perceived
– Impact on Talk Talk
• https://www.theguardian.com/business/2015/oct/23/talktalk-cyber-attack-
company-unsure-how-many-users-affected
– Impact of WannaCry on NHS
• https://www.chroniclelive.co.uk/news/north-east-news/nhs-cyber-attack-
could-been-13818484
• https://www.theguardian.com/technology/2017/may/13/nhs-workers-and-
patients-on-how-cyber-attack-has-affected-them
• Organisational and public perception of value may be different from an attacker.
• Value can change over time 8
9. CyberSecurity
• Cyber security incorporates a range of domains, including
– Application of information security standards
– Implementation of secure infrastructure
– Education of users
– Creation of appropriate organisations
• In order to prepare for and attempt to prevent attacks we need to be
aware of the security implications and issues in terms of systems security
and information security
• Reduce risk
• Minimize attack
• Identify breaches
• Build trust
9
In your opinion, what are the objectives of cybersecurity?
10. Introduction to Cyber Security
Policies and Procedures
Principle of least privilege
1. Grant access only to those who need it
2. Grant as little access as possible
3. Grant it only for as long as needed
Principle of separation of risk
1. Removal of important elements from close proximity – avoids
cascade
2. Separate application, host, network and business risk
3. Separate one application’s risk from another’s
4. Separate multiple systems risks
10
Defence in Depth
Firewall, IDs, Access Control, File System
Secrecy
Kerckhoff’s principle – the security of a mechanism should not be
dependent on the secrecy of the mechanism
11. Threat Landscape
Examples:
• Advanced persistent threats
• Cyber crime (dependent and enabled)
• Hactivism
• Insider threats
• Nuisance threats
• etc.
What cyber threats can you identify?
11
12. Advanced Persistent Threats
• Attack profile
– targeted, organised and funded attacks potentially
associated to Nation State sponsorship or other powerful
entities
• Primary Objectives
– typically medium to long term; exfiltration of intellectual
property for purposes of eliminating years of R&D,
competitive economic and/or nation state advantage
• Attack methods
– social engineering, spear phishing, drive-by download
attacks, espionage, focused perimeter breaches
12
13. Cyber Crime
• Attack profile
– opportunistic, broad-based, often motivated by
financial gain
• Primary Objectives
– typically short term; identity theft, credit card
fraud, extortion, botnet creation & management
• Attack methods
– phishing attacks, hosting malware on legitimate
websites, SPAM related attacks, cyber extortion
techniques
13
14. Hactivism
• Attack profile
– organised attacks associated to group of individuals with
political, ethical, religious, or retaliatory motives
• Primary objectives
– typically short term; cause havoc & chaos, disrupt
operations, discredit and malign via disclosure of sensitive
information
• Attack methods
– distributed denial of service attacks (DDOS), traditional
hacking techniques, spear phishing
14
15. Insider Threats
• Attack profile
– legitimate internal user with hidden malicious intentions
• masqueraders (those who operate under the identity of another
user)
• clandestine users (those who evade access controls and auditing)
• misfeasors (those who have legitimate authorisation but misuse
their privileges)
• Primary objectives
– short to long term; compromise of sensitive information,
destruction, revenge, espionage, harassment
• Attack methods
– access via legitimate credentials and privileges, data exfiltration,
physical and logical sabotage, surveillance
15
17. Cyber Security in Organisations
Cybersecurity Actions in Organisations
• Ensure that there are clear processes and
procedure to:
– Define the cybersecurity environment, including risks,
threats and implications of breaches.
– Detect when a breach of cybersecurity has happened –
including ways of identifying issues with policy and
implementation of policy
– Defend against potential threats and attacks –
considering appropriate layers of security
– Deter potential attackers and misusers – both from
outside the organisation and inside.
17
18. Cyber Security in Organisations
• Training and Awareness of Employees
– Ensuring that there is a robust cybersecurity policy
in the organisation
– Ensuring that all staff are trained (and aware) of
threats from cybersecurity
– Raising awareness of the threat from social
engineering
18
21. The Threat Matrix
Business
Impact
Probability of Threat
Financial application crash
DoS attack
Application security
earthquake
Information leak
E-mail content disclosure
Wireless LANs
OS systems security
PDA/handhelds
Internet worms
Virus
Privacy leak
Web services breach
Disgruntled employees
Access management
failure
21
22. SANS 20 Critical Security Controls
• Overview: https://www.youtube.com/watch?v=vg6ck7ZSBrI
• Infographic: https://uk.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf
• Visit the main page: https://www.cisecurity.org/controls/
Outline:
• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,
and Servers
• Critical Control 4: Continuous Vulnerability Assessment and Remediation
• Critical Control 5: Malware Defences
• Critical Control 6: Application Software Security
• Critical Control 7: Wireless Device Control
• Critical Control 8: Data Recovery Capability
• Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
• Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 12: Controlled Use of Administrative Privileges
• Critical Control 13: Boundary Defence
• Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
• Critical Control 15: Controlled Access Based on the Need to Know
• Critical Control 16: Account Monitoring and Control
• Critical Control 17: Data Loss Prevention
• Critical Control 18: Incident Response and Management
• Critical Control 19: Secure Network Engineering
• Critical Control 20: Penetration Tests and Red Team Exercises
22