SlideShare a Scribd company logo
1 of 26
Cloud Security
1
Key Security Concepts - CIA
Confidentiality
• Preserving authorized
restrictions on
information access and
disclosure, including
means for protecting
personal privacy and
proprietary information
Integrity
• Guarding against
improper information
modification or
destruction, including
ensuring information
nonrepudiation and
authenticity
Availability
• Ensuring timely and
reliable access to and
use of information
To complete the picture:
1. Authenticity
2. Accountability 2
Levels of Impact
Low
The loss could be
expected to have a
limited adverse
effect on
organizational
operations,
organizational
assets, or individuals
Moderate
The loss could be
expected to have a
serious adverse
effect on
organizational
operations,
organizational
assets, or individuals
High
The loss could be
expected to have a
severe or
catastrophic
adverse effect on
organizational
operations,
organizational
assets, or
individuals
3
Vulnerabilities, Threats and Attacks
• Vulnerabilities
• Corrupted (loss of integrity)
• Leaky (loss of confidentiality)
• Unavailable or very slow (loss of availability)
4
• Threats
• Capable of exploiting vulnerabilities
• Represent potential security harm to an asset
• Attacks (threats carried out)
• Passive – attempt to learn or make use of information from the
system that does not affect system resources
• Active – attempt to alter system resources or affect their operation
• Insider – initiated by an entity inside the security parameter
• Outsider – initiated from outside the perimeter
Passive and Active Attacks
Passive Attack Active Attack
• Attempts to learn or make use of
information from the system but
does not affect system resources
• Eavesdropping on, or monitoring
of, transmissions
• Goal of attacker is to obtain
information that is being
transmitted
• Two types:
– Release of message contents
– Traffic analysis
• Attempts to alter system
resources or affect their
operation
• Involve some modification of
the data stream or the creation
of a false stream
• Four categories:
– Replay
– Masquerade
– Modification of messages
– Denial of service
5
Countermeasures
Dealing with security
attacks
• Prevent
• Detect
• Recover
May itself introduce new
vulnerabilities
Residual vulnerabilities
may remain
Goal is to minimize
residual level of risk to
the assets
6
Trends have shaped cybersecurity
• The increasing economic value of information
• Computer networks are is part of the critical national framework
• Third parties control information not under our control
• Criminalisation of the internet
• Ever increasing complexity of networks
• Slower patching, faster exploits
• Sophistication of threats
• End user as attacker
• Regulatory pressure
Adapted from Scheiner (2006)
7
Video: https://www.youtube.com/watch?v=AuYNXgO_f3Y
Rationale for Protection
• Cybersecurity is required in order to protect systems, data and information
• We need to understand what the data and information is worth in order to
determine the appropriate level of protection
• Value can be defined or perceived
– Impact on Talk Talk
• https://www.theguardian.com/business/2015/oct/23/talktalk-cyber-attack-
company-unsure-how-many-users-affected
– Impact of WannaCry on NHS
• https://www.chroniclelive.co.uk/news/north-east-news/nhs-cyber-attack-
could-been-13818484
• https://www.theguardian.com/technology/2017/may/13/nhs-workers-and-
patients-on-how-cyber-attack-has-affected-them
• Organisational and public perception of value may be different from an attacker.
• Value can change over time 8
CyberSecurity
• Cyber security incorporates a range of domains, including
– Application of information security standards
– Implementation of secure infrastructure
– Education of users
– Creation of appropriate organisations
• In order to prepare for and attempt to prevent attacks we need to be
aware of the security implications and issues in terms of systems security
and information security
• Reduce risk
• Minimize attack
• Identify breaches
• Build trust
9
In your opinion, what are the objectives of cybersecurity?
Introduction to Cyber Security
Policies and Procedures
Principle of least privilege
1. Grant access only to those who need it
2. Grant as little access as possible
3. Grant it only for as long as needed
Principle of separation of risk
1. Removal of important elements from close proximity – avoids
cascade
2. Separate application, host, network and business risk
3. Separate one application’s risk from another’s
4. Separate multiple systems risks
10
Defence in Depth
Firewall, IDs, Access Control, File System
Secrecy
Kerckhoff’s principle – the security of a mechanism should not be
dependent on the secrecy of the mechanism
Threat Landscape
Examples:
• Advanced persistent threats
• Cyber crime (dependent and enabled)
• Hactivism
• Insider threats
• Nuisance threats
• etc.
What cyber threats can you identify?
11
Advanced Persistent Threats
• Attack profile
– targeted, organised and funded attacks potentially
associated to Nation State sponsorship or other powerful
entities
• Primary Objectives
– typically medium to long term; exfiltration of intellectual
property for purposes of eliminating years of R&D,
competitive economic and/or nation state advantage
• Attack methods
– social engineering, spear phishing, drive-by download
attacks, espionage, focused perimeter breaches
12
Cyber Crime
• Attack profile
– opportunistic, broad-based, often motivated by
financial gain
• Primary Objectives
– typically short term; identity theft, credit card
fraud, extortion, botnet creation & management
• Attack methods
– phishing attacks, hosting malware on legitimate
websites, SPAM related attacks, cyber extortion
techniques
13
Hactivism
• Attack profile
– organised attacks associated to group of individuals with
political, ethical, religious, or retaliatory motives
• Primary objectives
– typically short term; cause havoc & chaos, disrupt
operations, discredit and malign via disclosure of sensitive
information
• Attack methods
– distributed denial of service attacks (DDOS), traditional
hacking techniques, spear phishing
14
Insider Threats
• Attack profile
– legitimate internal user with hidden malicious intentions
• masqueraders (those who operate under the identity of another
user)
• clandestine users (those who evade access controls and auditing)
• misfeasors (those who have legitimate authorisation but misuse
their privileges)
• Primary objectives
– short to long term; compromise of sensitive information,
destruction, revenge, espionage, harassment
• Attack methods
– access via legitimate credentials and privileges, data exfiltration,
physical and logical sabotage, surveillance
15
Nuisance Threats
• Attack profile
– unskilled attackers, scanners & crawlers, SPAM,
worms/viruses, basic malware
• Primary objectives
– often unknown or irrelevant; recognition& status,
reconnaissance, financial
• Attack methods
– automated scanners, public exploit kits, generic SPAM
email, propagating worms/viruses, adware, scareware
16
Cyber Security in Organisations
Cybersecurity Actions in Organisations
• Ensure that there are clear processes and
procedure to:
– Define the cybersecurity environment, including risks,
threats and implications of breaches.
– Detect when a breach of cybersecurity has happened –
including ways of identifying issues with policy and
implementation of policy
– Defend against potential threats and attacks –
considering appropriate layers of security
– Deter potential attackers and misusers – both from
outside the organisation and inside.
17
Cyber Security in Organisations
• Training and Awareness of Employees
– Ensuring that there is a robust cybersecurity policy
in the organisation
– Ensuring that all staff are trained (and aware) of
threats from cybersecurity
– Raising awareness of the threat from social
engineering
18
19
Source:
https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/NCSC%2010%20Steps%20To%20Cyber%20Security%20NCSC.pdf
Source: https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/NCSC%20Cyber%20Attacks.pdf
The Threat Matrix
Business
Impact
Probability of Threat
Financial application crash
DoS attack
Application security
earthquake
Information leak
E-mail content disclosure
Wireless LANs
OS systems security
PDA/handhelds
Internet worms
Virus
Privacy leak
Web services breach
Disgruntled employees
Access management
failure
21
SANS 20 Critical Security Controls
• Overview: https://www.youtube.com/watch?v=vg6ck7ZSBrI
• Infographic: https://uk.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf
• Visit the main page: https://www.cisecurity.org/controls/
Outline:
• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,
and Servers
• Critical Control 4: Continuous Vulnerability Assessment and Remediation
• Critical Control 5: Malware Defences
• Critical Control 6: Application Software Security
• Critical Control 7: Wireless Device Control
• Critical Control 8: Data Recovery Capability
• Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
• Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 12: Controlled Use of Administrative Privileges
• Critical Control 13: Boundary Defence
• Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
• Critical Control 15: Controlled Access Based on the Need to Know
• Critical Control 16: Account Monitoring and Control
• Critical Control 17: Data Loss Prevention
• Critical Control 18: Incident Response and Management
• Critical Control 19: Secure Network Engineering
• Critical Control 20: Penetration Tests and Red Team Exercises
22
CIS Controls Version 8
23
RISK IQ’s Evil Internet Minute
24
Cloud Security Challenges
25
1. Data Breaches
2. Compliance With Regulatory Mandates
3. Lack of IT Expertise
4. Cloud Migration Issues
5. Unsecured APIs
6. Insider Threats
7. Open Source
Cloud Security Risks
26
1. Misconfiguration
2. Unauthorized Access
3. Insecure Interfaces/APIs
4. Hijacking of Accounts
5. Lack of Visibility
6. External Sharing of Data
7. Malicious Insiders
8. Cyberattacks
9. Denial of Service Attacks

More Related Content

Similar to Cloud Security.pptx

Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsBilalMehmood44
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hackingchakrekevin
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015T. J. Saotome
 
Introduction to cyber security.pptx
Introduction to cyber security.pptxIntroduction to cyber security.pptx
Introduction to cyber security.pptxSharmaAnirudh2
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptshahadd2021
 
Introduction to Computer Security
Introduction to Computer SecurityIntroduction to Computer Security
Introduction to Computer SecurityKamal Acharya
 
Ethical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptxEthical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptxJanani S
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskBeyondTrust
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfssuserf98dd4
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresCarl B. Forkner, Ph.D.
 

Similar to Cloud Security.pptx (20)

Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
ch02_2.ppt
ch02_2.pptch02_2.ppt
ch02_2.ppt
 
ch02_2.ppt
ch02_2.pptch02_2.ppt
ch02_2.ppt
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
 
Introduction to cyber security.pptx
Introduction to cyber security.pptxIntroduction to cyber security.pptx
Introduction to cyber security.pptx
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
 
IS Unit II.pptx
IS Unit II.pptxIS Unit II.pptx
IS Unit II.pptx
 
Introduction to Computer Security
Introduction to Computer SecurityIntroduction to Computer Security
Introduction to Computer Security
 
Ethical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptxEthical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptx
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptx
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
3-UnitV_security.pptx
3-UnitV_security.pptx3-UnitV_security.pptx
3-UnitV_security.pptx
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
 

Recently uploaded

MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level   being good citizen -imperative- (1) (1).pdfMS4 level   being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMr Bounab Samir
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfPrerana Jadhav
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8  fourth  -  quarter .pptxweek 1 cookery 8  fourth  -  quarter .pptx
week 1 cookery 8 fourth - quarter .pptxJonalynLegaspi2
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 

Recently uploaded (20)

MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level   being good citizen -imperative- (1) (1).pdfMS4 level   being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdf
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdf
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8  fourth  -  quarter .pptxweek 1 cookery 8  fourth  -  quarter .pptx
week 1 cookery 8 fourth - quarter .pptx
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 

Cloud Security.pptx

  • 2. Key Security Concepts - CIA Confidentiality • Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity • Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity Availability • Ensuring timely and reliable access to and use of information To complete the picture: 1. Authenticity 2. Accountability 2
  • 3. Levels of Impact Low The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals Moderate The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals High The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals 3
  • 4. Vulnerabilities, Threats and Attacks • Vulnerabilities • Corrupted (loss of integrity) • Leaky (loss of confidentiality) • Unavailable or very slow (loss of availability) 4 • Threats • Capable of exploiting vulnerabilities • Represent potential security harm to an asset • Attacks (threats carried out) • Passive – attempt to learn or make use of information from the system that does not affect system resources • Active – attempt to alter system resources or affect their operation • Insider – initiated by an entity inside the security parameter • Outsider – initiated from outside the perimeter
  • 5. Passive and Active Attacks Passive Attack Active Attack • Attempts to learn or make use of information from the system but does not affect system resources • Eavesdropping on, or monitoring of, transmissions • Goal of attacker is to obtain information that is being transmitted • Two types: – Release of message contents – Traffic analysis • Attempts to alter system resources or affect their operation • Involve some modification of the data stream or the creation of a false stream • Four categories: – Replay – Masquerade – Modification of messages – Denial of service 5
  • 6. Countermeasures Dealing with security attacks • Prevent • Detect • Recover May itself introduce new vulnerabilities Residual vulnerabilities may remain Goal is to minimize residual level of risk to the assets 6
  • 7. Trends have shaped cybersecurity • The increasing economic value of information • Computer networks are is part of the critical national framework • Third parties control information not under our control • Criminalisation of the internet • Ever increasing complexity of networks • Slower patching, faster exploits • Sophistication of threats • End user as attacker • Regulatory pressure Adapted from Scheiner (2006) 7 Video: https://www.youtube.com/watch?v=AuYNXgO_f3Y
  • 8. Rationale for Protection • Cybersecurity is required in order to protect systems, data and information • We need to understand what the data and information is worth in order to determine the appropriate level of protection • Value can be defined or perceived – Impact on Talk Talk • https://www.theguardian.com/business/2015/oct/23/talktalk-cyber-attack- company-unsure-how-many-users-affected – Impact of WannaCry on NHS • https://www.chroniclelive.co.uk/news/north-east-news/nhs-cyber-attack- could-been-13818484 • https://www.theguardian.com/technology/2017/may/13/nhs-workers-and- patients-on-how-cyber-attack-has-affected-them • Organisational and public perception of value may be different from an attacker. • Value can change over time 8
  • 9. CyberSecurity • Cyber security incorporates a range of domains, including – Application of information security standards – Implementation of secure infrastructure – Education of users – Creation of appropriate organisations • In order to prepare for and attempt to prevent attacks we need to be aware of the security implications and issues in terms of systems security and information security • Reduce risk • Minimize attack • Identify breaches • Build trust 9 In your opinion, what are the objectives of cybersecurity?
  • 10. Introduction to Cyber Security Policies and Procedures Principle of least privilege 1. Grant access only to those who need it 2. Grant as little access as possible 3. Grant it only for as long as needed Principle of separation of risk 1. Removal of important elements from close proximity – avoids cascade 2. Separate application, host, network and business risk 3. Separate one application’s risk from another’s 4. Separate multiple systems risks 10 Defence in Depth Firewall, IDs, Access Control, File System Secrecy Kerckhoff’s principle – the security of a mechanism should not be dependent on the secrecy of the mechanism
  • 11. Threat Landscape Examples: • Advanced persistent threats • Cyber crime (dependent and enabled) • Hactivism • Insider threats • Nuisance threats • etc. What cyber threats can you identify? 11
  • 12. Advanced Persistent Threats • Attack profile – targeted, organised and funded attacks potentially associated to Nation State sponsorship or other powerful entities • Primary Objectives – typically medium to long term; exfiltration of intellectual property for purposes of eliminating years of R&D, competitive economic and/or nation state advantage • Attack methods – social engineering, spear phishing, drive-by download attacks, espionage, focused perimeter breaches 12
  • 13. Cyber Crime • Attack profile – opportunistic, broad-based, often motivated by financial gain • Primary Objectives – typically short term; identity theft, credit card fraud, extortion, botnet creation & management • Attack methods – phishing attacks, hosting malware on legitimate websites, SPAM related attacks, cyber extortion techniques 13
  • 14. Hactivism • Attack profile – organised attacks associated to group of individuals with political, ethical, religious, or retaliatory motives • Primary objectives – typically short term; cause havoc & chaos, disrupt operations, discredit and malign via disclosure of sensitive information • Attack methods – distributed denial of service attacks (DDOS), traditional hacking techniques, spear phishing 14
  • 15. Insider Threats • Attack profile – legitimate internal user with hidden malicious intentions • masqueraders (those who operate under the identity of another user) • clandestine users (those who evade access controls and auditing) • misfeasors (those who have legitimate authorisation but misuse their privileges) • Primary objectives – short to long term; compromise of sensitive information, destruction, revenge, espionage, harassment • Attack methods – access via legitimate credentials and privileges, data exfiltration, physical and logical sabotage, surveillance 15
  • 16. Nuisance Threats • Attack profile – unskilled attackers, scanners & crawlers, SPAM, worms/viruses, basic malware • Primary objectives – often unknown or irrelevant; recognition& status, reconnaissance, financial • Attack methods – automated scanners, public exploit kits, generic SPAM email, propagating worms/viruses, adware, scareware 16
  • 17. Cyber Security in Organisations Cybersecurity Actions in Organisations • Ensure that there are clear processes and procedure to: – Define the cybersecurity environment, including risks, threats and implications of breaches. – Detect when a breach of cybersecurity has happened – including ways of identifying issues with policy and implementation of policy – Defend against potential threats and attacks – considering appropriate layers of security – Deter potential attackers and misusers – both from outside the organisation and inside. 17
  • 18. Cyber Security in Organisations • Training and Awareness of Employees – Ensuring that there is a robust cybersecurity policy in the organisation – Ensuring that all staff are trained (and aware) of threats from cybersecurity – Raising awareness of the threat from social engineering 18
  • 21. The Threat Matrix Business Impact Probability of Threat Financial application crash DoS attack Application security earthquake Information leak E-mail content disclosure Wireless LANs OS systems security PDA/handhelds Internet worms Virus Privacy leak Web services breach Disgruntled employees Access management failure 21
  • 22. SANS 20 Critical Security Controls • Overview: https://www.youtube.com/watch?v=vg6ck7ZSBrI • Infographic: https://uk.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf • Visit the main page: https://www.cisecurity.org/controls/ Outline: • Critical Control 1: Inventory of Authorized and Unauthorized Devices • Critical Control 2: Inventory of Authorized and Unauthorized Software • Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Critical Control 4: Continuous Vulnerability Assessment and Remediation • Critical Control 5: Malware Defences • Critical Control 6: Application Software Security • Critical Control 7: Wireless Device Control • Critical Control 8: Data Recovery Capability • Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps • Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services • Critical Control 12: Controlled Use of Administrative Privileges • Critical Control 13: Boundary Defence • Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs • Critical Control 15: Controlled Access Based on the Need to Know • Critical Control 16: Account Monitoring and Control • Critical Control 17: Data Loss Prevention • Critical Control 18: Incident Response and Management • Critical Control 19: Secure Network Engineering • Critical Control 20: Penetration Tests and Red Team Exercises 22
  • 24. RISK IQ’s Evil Internet Minute 24
  • 25. Cloud Security Challenges 25 1. Data Breaches 2. Compliance With Regulatory Mandates 3. Lack of IT Expertise 4. Cloud Migration Issues 5. Unsecured APIs 6. Insider Threats 7. Open Source
  • 26. Cloud Security Risks 26 1. Misconfiguration 2. Unauthorized Access 3. Insecure Interfaces/APIs 4. Hijacking of Accounts 5. Lack of Visibility 6. External Sharing of Data 7. Malicious Insiders 8. Cyberattacks 9. Denial of Service Attacks