An interactive introduction to Information Security and Cyber Security for BTEC students studying IT at Swindon College in the UK. The session illustrates the breadth and diversity of the subject and opportunities it can offer. The session illustrates things might not always be as they seem and the impacts can be far more reaching than at first imagined.
5. What is Information Security?
“Information Security refers to the processes and methodologies which are
designed and implemented to protect print, electronic, or any other form of
confidential, private and sensitive information or data from unauthorized
access, use, misuse, disclosure, destruction, modification, or disruption.”
SANS Institute: Information Security Resources
More simply:
“Protecting the Confidentiality, Integrity and Availability of your information”.
6. The CIA Triad …
• What Confidentiality,
Integrity and Availability?
• Confidentiality – keeping
information “secret” or
“private”
• Integrity – ensuring
Information is accurate
• Availability – ensuring
information is available
8. Latest Data breaches … as of 15th November
Courtesy of:
www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
9. Why do this matter?
• Because there’s a data collection explosion going on:
• 2.5 exabytes of data harvested daily
• 90% of the world’s data has been collected in the last 2 years
• By 2020 estimate 40 Zettabytes per day
• Much of that data is about you …
• 5.7TB of data on each of you every day by 2020
• Most of that data is collected by 4 companies
10. But it’s not a matter of life or death
• Or is it:
• DDoS building heating systems – Finland
• Malware North Lincolnshire NHS led to hundreds of operations being
cancelled.
• Cyber attacks threatening national security doubled in a year
• UK facing up to seven serious cyber assaults every day
11. How do you go about protecting information?
• Not useful to the business , not useful to you
• Information security is about enabling the business and ensuring that bad things don’t jeopardise the business
• Needs to be proportionate to the risk
Easy …
But:
12. Business Impact Assessment
• Understand what data or information you have or need = Information
Assets
• Understand the value of the information to your business
• Understand the impact if there was an incident or compromise.
• e.g an impact to the C, I or A.
13. Assess risk
• What is a risk?
“The likelihood of a threat or vulnerability having an adverse impact to the
confidentiality, integrity or availability of an information asset.”
• Likelihood – won’t happen-> extremely likely to happen
• Threat e.g. a criminal breaks into your house/ A hacker breaks into your
website.
• Vulnerability .e.g. leaving your house unlocked/not patching a security
weakness in your website
• Impact e.g. your xbox is stolen / the personal health records of 10K people
are stolen
16. So you have a risk,
• what are you going to do about it?
What’s your risk appetite?
How does this stack up against your
other risks, which should you
prioritise?
What is the business benefit or
reward?
18. A web application vulnerability in your web site
could be exploited by a hacker to steal patient
record data:
Tolerate it
do nothing and
accept the risk of
being hacked …
Terminate it
switch it off and
deny patients from
getting the
necessary
treatment …
Treat it
reduce the
likelihood by:
• encrypting the data,
• fixing the vulnerability in
the code
Transfer it
contract a 3rd party:
• to protect the website
using a web application
firewall service
• to provide cyber
insurance
19. In business …
• Risk almost always comes down to:
• Financial risk – how much am I going to lose ? what is the cost to repair?
• Reputational risk – How is this going to affect my brand?
• As an InfoSec professional it’s important to:
• be able to translate “technical risk” into “business speak”
• Assess and prioritise the risk
• ensure that any risk approach is proportionate
• Understand that some risks can’t avoided and that both:
• Preventive measures are needed – e.g. antivirus
• Corrective measures – e.g. virus removal
are necessary
• Be prepared for an incident – Cyber Resilience
20. Cyber Security – Hot topic!
• Recognised as one of
the greatest threats to
business globally
• Global cost of crimes in
cyberspace $445 billion
(estimate from World
Economic Forum’s 2016
Global Risks Report).
• In the news daily
• Nothing new?
21. Cyber Security…. Cyber threats
How long have
there been PC
viruses?
Brain is 30 years old
22. Major Cyber threats
Malware and weak
endpoints
Data
loss/leakage/theft
Distributed Denial of
Service Attacks
Impersonation,
Cybersquatting
Interception MiTM
Human Error Social Engineering
Web application
attacks
Cyber crime, Cyber
fraud, Cyber theft
Cyber warfare,
Cyber terrorism
Defacement /
Reputational
damage
Cyber bullying,
blackmail and
extortion,
ransomware
Identity theft
Industrial espionage
Intellectual property
theft, Copyright
infringement
23. Web vulnerabilities – OWASP top 10 (2013)
Injection e.g SQL injection
Broken Authentication and Session management
Cross Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive data exposure
Missing function level access control
Cross site request forgery (CSRF)
Using known vunerable components
Unvalidated Redirects and Forwards
27. 7 stages of an attack
Reconnaissance
•Identify
Scanning
•and enumeration
Infiltrate
•Access and Escalation
Exfiltrate
• Data collection
Sustain –
•lateral movement,
back channels/doors,
rootkits, C&C
Attack/Assault
•Damaging
Obfuscate
• hide actions, distract
, confuse
28. Bit like breaking and entering…
Front door
•Web Application vulnerability
•Typically Sql Injection
Back door
•Phishing email (Spearphishing, Whaling)
•Social Engineering credential harvesting
•Malware invoice
Gain a foothold and then:
• Escalate - get a privileged access
• Move laterally to get to more sensitive assets
• Set up a “reverse shell” join a command and control network
29. RIO – Olympic Athletes TUE Records breach
• “Sophisticated” attack
• Release of health records
• 29+ Olympic athletes
• Russian Fancy Bear group
• Allegedly Russian Government
revenge
• “Sophisticated” == phishing email
30. So we learnt that…
• There are lots of threats and “attack vectors”
• It’s a serious organised business driven by money
• Often attacks don’t need to sophisticated to begin
• But once in the attacker can rely on an evolving array of sophisticate
tools and techniques to get further
32. Approaches
• Old approaches
• Citadel approach
• Defence in depth
• Both take an outside in approach
• Today neither sufficient
• Cyber attacks today are :
• As much to do with breaking out as much as breaking in
• As much to with privilege escalation and lateral movement
• Security controls today need to take an inside out approach
33. So what can
you do?
SANS 20 CIS
1 Inventory of
Authorized and
Unauthorized
Devices
2 Inventory of
Authorized and
Unauthorized
Software
3 Secure
Configuration of
End-User Devices
4 Continuous
Vulnerability
Assessment &
Remediation
5 Controlled Use of
Administrative
Privileges
6 Maintenance,
Monitoring, and
Analysis of Audit
Logs
7 Email and Web
Browser Protections
8 Malware Defense
9 Limitation &
Control of Network
Ports, Protocols,
and Service
10 Data Recovery
Capability
11 Secure
Configuration of
Network Devices
12 Boundary
Defense
13 Data Protection
14 Controlled
Access Based on
Need to Know
15 Wireless Access
Control
16 Account
Monitoring and
Control
17 Security Skills
Assessment and
Appropriate
Training
18 Application
Software Security
19 Incident
Response and
Management
20 Penetration
Tests and Red Team
Exercises
34. The really important stuff
Cryptography
•Establish trust:
•Authenticity
•non-repudiation
• veracity
• privacy
Boundary defence
•Not just firewalls
•Controlling and inspecting traffic in
and out.
•Email and web filtering
Protective Monitoring
•Help detect and investigate incident
Secure Endpoints
•Lockdown
•Patching
•Malware protection
•Security testing
Incident management
•Incidents will happen
•Rehearsal == preparedness
Application security
•Input/output verification/validation
•Parameterisation
EATS
•Education
•Awareness
•Training
•Skillz
•Human’s get hacked
35. National Cyber Security Strategy
“The UK will be one of the safest places in the world to do business,
with a world-class cyber security industry and workforce thanks to
a new plan underpinned by £1.9 billion of investment”.
• Automated defences to safeguard citizens
and businesses against growing cyber
threats
• Support growing cyber security industry
• Develop a world-class cyber workforce
• Deter cyber-attacks from criminals and
hostile actors … retaliate.
36. You are that future workforce
• Lots of skills and personalities are suited to information security
• Even with these questionable attributes:
• If you’re good at breaking things and finding loopholes…
• If you like taking things a part …
• If you like sticking odd things together…
• If you can’t help poking your nose in …
• If you can’t help judging things and point out peoples mistakes …
• If you think you know best all the time …
Penetration tester
Security researcher
CISO
Auditor
Security Architect
Intrusion Analyst
37. The strategy == opportunity for you…
• Builds on a range of skills and education initiatives:
• cyber apprentices
• retraining schemes
• advanced cyber security teaching in schools
• Creating Cyber security Innovation Centre in Cheltenham
• Launching a Cyber Innovation Fund
• develop innovate technologies and products
• Funding training and support for cyber start-ups and academics
• help commercialise research and attract private sector investment
39. Remember
• Salt lakes are attractive
• Are rich ecosystems
• But, it’s easy to lose your footing
• If you fall through the crust
• Smells awful
• Gets under your skin
• And stings like hell…
(for a while)
Editor's Notes
Figures from 2012
An Exabyte is a quintillion bytes
2.5 exabytes is 2.5 billion gigabytes
~41,000 Exabytes
Likelihood – the probability
Threat – something nasty
Vulnerability – a weakness
Impact – the consequence