Cybertopic_1security

CYBERSECURITY
Governance
Security Threats and Controls

Trainer Profile
LEO LOURDES
(MBA IT Management, BoM Hons. HRM)
Implementer of ISO 20000-1:2011
Certified in COBIT® 5
Certified in ISO 9001 Auditor (PECB)
Certified in PRINCE2® in Project Management
Certified in ITIL® Practitioner
Certified in ITIL® Intermediate Certificate in IT Service Operation
Certified in ITIL Information Security based on ISO/IEC 27002
Certified in ITIL for Cloud Computing
Certified in ITIL IT Service Management
Certified in Coaching and Calibration Skills for Call Center
Certified in Delivering Learning / Teaching by City & Guilds, United Kingdom
wecare@thinkleosolutions.com
+6016-349 1793
Experience:
Management Representative (MR) ISO 20000-1: 2011
IT Service Management (Incident, Problem, Change) Manager
Security, Compliance & Risk Management
Senior CRM Delivery Analyst
Certified Trainer
Certified IT Auditor & Consultant

The CIA Triad
Availability
Copyright © 2019 Logical Operations, Inc. All rights reserved.

Confidentiality Terms
Term Definition
Sensitivity The level of damage or harm that could occur if the asset is revealed or
disclosed.
Discretion The ability for a person to control the level of access to, or disclosure of,
an asset.
Criticality The level of importance of an asset to the mission or objective.
Concealment The act of hiding or preventing disclosure of an asset.
Secrecy The practice of preventing or limiting information disclosure.
Privacy The protection of confidential or personal information.
Seclusion The act of storing something in a location that is out of the way, and thus
not easily observed or found.
Isolation The act of keeping something separate from other things that are similar
in nature.

Integrity Terms
Term Definition
Accuracy The degree to which the data is correct and precise.
Truthfulness The quality of a source of information being factual and realistic.
Validity The quality of an asset being factually or logically sound.
Authenticity The quality of an asset being genuine.
Accountability The condition of a person or entity being held responsible for their
actions.
Responsibility The obligation of a person or entity to take ownership of their actions.
Completeness The quality of an asset that has all its necessary parts or components.
Comprehensiveness The quality of an asset being complete in scope, and fully inclusive of all
relevant elements.

Availability Terms
Term Definition
Usability The degree to which an asset can be easily learned, understood, utilized,
or controlled by a subject.
Accessibility The assurance that an asset can, under the widest range of circumstances,
be used by a subject, regardless of their capabilities or limitations.
Timeliness The quality of an asset, particularly information, being prompt and
available within a reasonable time frame, and with low latency.

Common Security Terms (Slide 1 of 2)
Term Definition
Asset Anything of value that could be compromised, stolen, or harmed, including
information, systems, personnel, physical resources, and reputation.
Threat Any event or action that could potentially cause damage to an asset or an
interruption of services.
Threat actor A person, group, or other entity that could potentially attack, damage, or
otherwise compromise a system or resource.
Vulnerability A condition that leaves the system and its assets open to harm—including
such things as software bugs, insecure passwords, inadequate physical
security, poorly designed networks, or insufficient user training and
awareness.
Exploit A technique that takes advantage of a vulnerability to perform an attack.
Risk The likelihood of a threat occurring, as well as its potential damage to
assets.
Control A countermeasure that you put in place to avoid, mitigate, or counteract
security risks due to threats or attacks; also known as a safeguard.

Common Security Terms (Slide 2 of 2)
Term Definition
Attack The active attempt by a threat actor to break into and exploit a vulnerable
system, data, or other resource.
Breach The result of a successful attack. Can include theft, destruction, or loss of
availability of data, a system, or other resources.
Exposure The level, usually expressed in percentage, to which a resource is at direct
risk of attack.
Social engineering The practice of using deception and trickery against human beings as a
method of attack.
Defense in depth The practice of providing security in multiple layers for more
comprehensive protection against attack.

• Methods of exercising control and management over an organization.
• Seeks to mitigate security risk.
• Turns a reactionary security culture into a proactive one.
• Supports business objectives to minimize cost and disruption.
• A major objective is compliance.
• Compliance assures that the organization operates within regulatory requirements.
Security Governance

Organizational Governance Structure
Board of Directors/CEO
CISO
Security Department
Management
Staff

• Structure of an organization can impact its security.
• Who is responsible for what? Who do they report to?
• Different levels responsible for different security requirements and tasks.
The Organizational Culture's Impact on Security

• Security professionals must advise decision makers based on risk.
• Cost prohibits 100% security.
• Tosupport business constraints:
• Assess risk and determine needs.
• Implement policies and controls to mitigate risk.
• Promote awareness of expectations.
• Monitor and evaluate effectiveness of the controls.
• Use as input in next risk assessment.
• IT is the business, and the business is IT.
• Not separate function; integral to the business.
• Business makes money from IT platform.
• Recognize mutual nature of security and business.
Security and Business Alignment

Roles and Responsibilities (Slide 1 of 2)
Role Responsibility
End Users • Protect information on a daily basis.
• Adhere to security policies.
• Be mindful of everything they do.
• Report security issues.
Administrative Assistants • First line of defense against social engineering.
• Screen phone calls for executives.
Help Desk/Service Desk
Administrators
• Answer user questions about system problems.
• Help desk calls may indicate security issues.
Physical Security • First line of defense regarding physical location of assets.
• Can work with external law enforcement.
• Role may be integrated with information systems security.
Information Systems/IT
Professionals
• Design security controls into information systems.
Information Systems
Security Professionals
• Inform executive management of security concerns and suggest solutions.

Roles and Responsibilities (Slide 2 of 2)
Role Responsibility
Information Systems
Auditors
• Determine whether systems and personnel are in compliance.
• Check configuration and design, implementation and operation of systems.
Business Continuity
Planners
• Develop contingency plans to prepare for incidents.
Data/Information
Custodians
• Implement access control levels based on data owner’s specifications.
• Back up data to ensure recovery after loss or corruption.
Data/Information/
Business Owners
• Classify data.
• Determine level of access to data.
Security Administrators • Manage access to information systems.
• Keep logs of all requests for access.
• Provide logs to auditor.
Network/Systems
Administrators
• Keep network infrastructure running to ensure availability.
• Physically implement access controls to data.
Executive Management • Protect information assets of organization.
• May include Chief Information Officer (CIO).
• May also include Chief Information Security Officer (CISO)

• Protects all business information from loss and disclosure.
• Works with individuals to ensure policies, procedures, and other documents are
implemented.
• May also run the organization’s incident response team.
• Supports governance activities.
• Develops programs to review security from several viewpoints.
• Must balance security needs with business objectives, especially when limited by
cost or time.
CISO Role

CISO Responsibilities (Slide 1 of 2)
Role Responsibility
Understand the business • Become knowledgeable about business operation and goals.
• Understand vision and mission, and how IT security helps to meet goals.
• Be a member of the management team.
• Provide security guidance to entire organization.
Stay informed • Be up to date on changing threat environment.
• Be aware of emerging technologies that provide security solutions.
Budget • Develop and justify security budget.
• Communicate budget needs to senior management to ensure approval.
• Ask for needs rather than wants.
Develop • Develop security policies, procedures, baselines, standards, and guidelines.
• Develop organization-wide security awareness programs.
• Develop security management skills within the security organization.
Train • Ensure user and management training in information security protection.
• Train security staff in new threats, new safeguards, and current operations.

CISO Responsibilities (Slide 2 of 2)
Role Responsibility
Ensure compliance • Ensure compliance to laws, regulations, and policies within areas controlled by
information security.
• Coordinate with legal department as necessary.
Promote awareness • Promote an organization-wide climate of security awareness.
• Communicate importance of business continuity and disaster recovery
planning.
Inform • Be conduit for security information in the organization.
• Provide frequent status updates on security environment.
• Provide advance information about pending changes to help plan training.
Measure • Measure security effectiveness by conducting penetration testing and other
similar activities.
• Work with auditors to determine weaknesses.
Assist • Assist senior management in understanding information security requirements.
• Assist application designers and developers to provide security in new and
existing systems.
Report • Report security accomplishments and limitations to senior management.
• Provide details regarding security violations.

Security Goal Categories
Goal Description
Strategic • Align with business and information technology goals.
• Long horizon (3-5 years or more).
• Ex: establish security policies and ensure all users understand
responsibilities.
Tactical • Provide broad initiatives necessary to support goals of strategic plan.
• May consist of multiple projects.
• Usually 6-18 month time period.
• Ex: implement disaster recovery programs and customer relationship
management.
Operational • Specific short-term goals.
• Put tactical plan into practice.
• Ensure that individual projects are completed with milestones.
• Ex: perform project-wise risk assessment and development of security
policies.

Control Frameworks
• Minimizes risk in an organization by creating a structure for security controls.
• Meet the following criteria:
• Consistent
• Measurable
• Standardized
• Comprehensive
• Modular

• Awareness of and adherence to contractual obligations, relevant laws, and/or
regulations.
• Can be:
• Set forth by governments and other private organizations.
• Internal and self-imposed.
• Consult with legal department to determine how laws and regulations impact
security operations.
• A well-rounded compliance program helps with overlapping or confusing regulatory
requirements
• Compliance may be required for an Authorization to Operate.
• U.S. Federal government agencies
• Formal acceptance of risk and approval to use a product
Compliance

• Security professionals must understand all laws that apply to their organization.
• Specific conditions must be met in certain cases.
• Identify any safe harbors that could help the organization avoid penalties.
• Safe harbors are practices or actions that are deemed not to be in violation of the law.
• Policies and other documentation should be consistent with applicable laws and
regulations.
• There are different types of laws; not all laws are regulatory in nature.
Legislative and Regulatory Compliance

Computer Crime
Government
Database
Classified Information
Attack

Data Breach
• An incident that results in release or potential
exposure of secure information.
• Can be true test of legal compliance.
• If organization performs due care to comply with laws,
breach’s effects may be mitigated.
• Organization can also avoid severe legal penalties.
• Especially a concern with privacy laws, as many
breaches expose customer PII.
• Consequences for compliance failure are magnified
under a breach.
• Most laws require timely notification in the event of a
breach.

Industry Standards (Slide 1 of 2)
IT/Information Security Standard Description
PCI DSS • Specifies how organizations handle information security for major
card brands.
• Compliance validated on annual basis.
• Organizations or merchants that accept, transmit, or store
cardholder data from these brands must comply.
NIST SP 800 series • Various publications establish computer security standards,
including:
• SP 800-12: An Introduction to Computer Security: The NIST
Handbook
• SP 800-14: Generally Accepted Principles and Practices for
Securing Information Technology Systems
• SP 800-33: Underlying Technical Models for Information
Technology Security
• SP 800-53: Security and Privacy Controls in Federal Information
Systems and Organizations

Industry Standards (Slide 2 of 2)
IT/Information Security Standard Description
COBIT 5 Standards for IT management and governance, promoting five
principles:
• Meeting stakeholder needs.
• Covering the enterprise end-to-end.
• Applying a single, integrated framework.
• Enabling a holistic approach.
• Separating governance from management.
ISO/IEC 27001 Focuses on topics in information security management:
• Responsibilities and procedures.
• Reporting information security events.
• Reporting information security weaknesses.
• Assessment of and decision on information security events.
• Response to information security incidents.
• Learning from information security incidents.
• Collection of evidence.

• Lack of documentation creates organizational chaos.
• Documentation provides a framework for people to work together in achieving
organizational goals.
• Security documentation can also act as a road map to governance.
The Value of Security Documentation

Security Document Types
Security Document Type Description
Policy High-level statement of management intentions. Contains purpose, scope, and
compliance expected of every employee.
Example: Information security will ensure the protection of information by
implementing security best practices.
Standard Required implementation or use of tools.
Example: The corporation must implement 802.1x security for all wireless
networks.
Guideline Recommended or suggested action or best practice.
Example: When travelling with laptops, users should use safety precautions to
prevent laptop theft, damage, or data loss.
Procedure Step-by-step description of how to implement a system or process.
Example: Toimplement Secure Shell (SSH) on the router, enter the enable mode
and then enter the appropriate commands for the router.
Baseline Minimum security required for a system or process.
Example: Trivial File Transfer Protocol (TFTP) must be disabled in all servers except
for those specifically used for the TFTP service.

Security Planning
Security Planning Effort Description
Strategic planning • Long-term (three- to five-year) planning process.
• Focuses on major security changes in an organization.
• Processes such as mergers and acquisitions could trigger a plan review.
Tactical planning • Mid-term process (6 to 18 months).
• For example, a move to RADIUS for authentication could take a year to
complete.
Operational and project
planning
• Near-term, per-project basis.
• Supports milestones and completion dates that are communicated
regularly.
• For example, planning for a penetration test in three months.

• Objectives that security policies can fulfill:
• Inform employees about their security-related duties and responsibilities.
• Define an organization’s security goals.
• Outline a computer system's security requirements.
• Objectives depend on the organization’s specific requirements.
• Policies should be long enough to explain but short enough to be understood.
• All employees should have access to the policy.
Security Policy Objectives

Security Policy Types
Security Policy Type Description
Advisory • Indicates certain types of actions as being more appropriate or effective
than others.
• Includes consequences and reprimands that may occur if actions are not
as indicated.
• Commonly indicate how to handle private documentation and money.
Informative • Provides data to employees on a specified subject.
• Includes no ramifications.
• Often used as instructional instruments.
Regulatory • Addresses industry regulations regarding the conduct of organizations.
• Commonly used for health care and financial organizations.

The Relationship Between Security Document Types
Laws and Requirements
Strategic
Tactical
Operational
Standards
Mandatory
implementation
Guidelines
Recommended actions
Procedures
Step-by-step
instructions
Baselines
Consistent comparison
points
Policies
Statement of management
intentions
Policy Types:
• Advisory
• Informative
• Regulatory

• Comprehensively identify all assets in the organization.
• Waiting until it’s too late will make it harder to recover an asset.
• If you don’t identify an asset, you may not even know when it’s compromised.
• Describe assets in terms of:
• Basic characteristics.
• Value to the company.
• Use on a daily basis.
• Replaceability.
Asset Identification

• What effort was required to develop or obtain it?
• What does it cost to maintain and protect it?
• How much will we lose in operational functionality if the asset is misplaced or
damaged?
• What would it cost to replace it?
• What enemies might pay for it?
• What liability penalties might occur if the asset is compromised?
Asset Valuation

Asset Valuation Methods
Asset Valuation Method Description
Asset management system Contains a detailed record of corporate property and similar assets,
including facilities, furniture, computers, and other real property.
Accounting system Contains additional financial information about assets, such as
expensing the cost to develop software packages.
Insurance valuation Good source of asset valuation due to rigorous analysis of risk of
loss.
Qualitative valuation Narrative descriptions capture expert judgement about asset value.

Areas of Vulnerability
Vulnerability Area Example Threat and Risk
Physical structure Window accessibility in a room where secure information is stored can
expose vulnerabilities and create a venue for sudden intrusion threats.
Electrical Failure of a vulnerable electrical feed can threaten system data.
Software Worms, viruses, and Trojans threaten systems.
Network Unencrypted data on network can be vulnerable to interception and exploit.
Personnel Key trained personnel must be available to deal with critical events to avoid
corporate-wide vulnerabilities.
Hardware Losses due to theft and physical damage generate costs for replacement and
lost productivity.
Documentation If poorly written, can cause confusion and impair decision making.
Organization must protect integrity and confidentiality of sensitive
documentation.
Process Outdated or inefficient processes can impair business operations; poor
security processes weaken defenses and increase risk.

Identify Threats
Threat Type Description
Natural disasters • Earthquakes
• Wildfires
• Flooding
• Excessive snowfalls
• Tsunamis
• Hurricanes
• Tornados
• Landslides
Man-made disasters Intentional:
• Arson
• Terrorist attacks
• Political unrest
• Break-ins
• Theft of equipment and/or data
• Equipment damage
• File destruction
•Information disclosure
Unintentional:
• Employee mistakes
• Power outages
• Excessive employee illnesses or epidemics
• Information disclosure

Control Selection Criteria
• Selection criteria:
• Cost effectiveness
• Risk reduction
• Practicality
• Additional details to consider:
• Can the control be audited?
• Is the control from a trusted source?
• Can the control be consistently applied?
• Is the control reliable?
• Is the control independent from other controls?
• Is the control easy to use?
• Can the control be automated?
• Is the control sustainable?

Safeguard Cost/Benefit Analysis
• Determine if the safeguard is worth the money.
• Also be confident that the solution meets requirements.
• Be sure to consider total cost:
• Initial purchase price and installation and configuration costs.
• Annual maintenance and licensing costs.
• Internal soft costs for configuration, management, and maintenance.
• Percentage of risk coverage.
• Scalability, upgradeability of solution.
• Most solutions do not completely remediate a risk.

• Administrative
• Covers personnel security, risk management, training, permissions, etc.
• Physical
• Limit a person’s physical access to assets or facilities, using locks, doors, fences, etc.
• Example: Infrared monitoring system can detect the presence of an intruder.
• Technical
• Also known as logical controls.
• Implemented in computing environments like operating systems, applications, databases,
network devices, etc.
• Prefer physical or technical controls, as administrative controls require manual
enforcement.
Control Types
User
***
Administrative Physical Technical

Control Functions
Deterrent
Controls
Directive
Controls
Recovery
Controls
Corrective
Controls
Detective
Controls
Preventative
Controls
Compensating
Controls
Low High
Time
INCIDENT
Medium
Threat Level Based on Figure 1.17 in the Official (ISC)2Guide to the CISSPCBK.

Control Implementation Matrix
Administrative Physical Technical
Directive X
Deterrent X X
Preventative X X X
Compensating X X
Detective X X
Corrective X
Recovery X X

• Not just simple pass-fail results or generating paperwork for an audit.
• Well-executed assessment determines validity and effectiveness of controls.
• Can expose strengths and weaknesses of current systems.
• Helps identify a plan for correcting weaknesses.
Monitoring and Measuring

• Ongoing effort to optimize policies and processes.
• A function of risk management.
• Includes best practices:
• Continuously seek to discover new vulnerabilities.
• Be context aware in your risk analysis.
• Prioritize your efforts to vulnerabilities
that actually pose a significant risk.
• Determine patchability.
Continuous Improvement

Threat Modeling Process
Identify Scope
Identify Threat
Agents and
Attack Vectors
Identify
Exploitable
Vulnerabilities
Prioritize
Identified Risks
Identify
Controls to
Reduce Threat
Understand
Existing
Controls

Threat Types (Slide 1 of 2)
Cryptojacking • Unauthorized use of someone else's computing device to mine cryptocurrency.
• Devices can include computers, phones, routers, IoT devices.
Advanced Persistent Threat
(APT)
• Stealthy attack.
• Intruder remains undetected for a lengthy period of time.
• Usually sponsored by nation states or organizations that have considerable
resources.
Phishing and social
engineering
• Attackers use psychological tactics to manipulate victims into disclosing
information or performing an action that they shouldn’t.
• Phishing is the most common form.
• Uses email with malicious attachments or links.
Insider threat • Disgruntled employees and others with internal access.
• Use their access privilege or knowledge to steal data or damage systems.
• Can also be accidental/unintentional.
Malware • Any software intended to damage a computer system.
• Can be distributed through email, websites, file sharing, social media, even
legitimate published software.
• Includes viruses, worms, Trojans, keyloggers, rootkits, bootkits, ransomware,
spyware, etc.

Threat Types (Slide 2 of 2)
Denial of service • Any attack that consumes computer or network resources so the system
cannot service legitimate client requests.
• Can be conducted against:
• Network
• CPU
• RAM
• Disk space
• Maximum allowed connections
Unauthorized network
access
• Deliberate or accidental.
• Normal security controls are bypassed.
Injection and Cross-Site
commands
• Malicious commands hide inside normal browser activity.
• Includes command and SQL injection, XSS, and XSRF.
Session Hijacking/
Man-in-the-Middle
• Attacker takes over legitimate network connection, often after user has
authenticated.

Virus Types (Slide 1 of 3)
Virus Type Description
Master Boot Record (MBR)
Virus
• One of the earliest known viruses.
• Infects the master boot record of a bootable disk.
• When system boots, virus redirects system to boot from infected boot sector
of disk.
Boot Sector Virus • Similar to the MBR virus.
• Infects the original (legitimate) boot sector of the disk.
File Infector Virus • Infects an executable file, modifying or completely replacing it.
• Payload released when operating system executes the file.
Macro Virus • Infects Microsoft Office documents.
• Exploits embedded VBA scripting language.
Service Injection Virus • Injects itself into a trusted running operating system process such as
svchost.exe, winlogon.exe, or explorer.exe.
Multipartite Virus • Propagates itself several ways including boot sectors and files.
Stealth Virus • Hides itself by tampering with the operating system to fool an antivirus
program.
Polymorphic Virus • Modifies itself as it moves from system to system.
• Constantly changing signature makes it difficult to detect.

Encrypted Virus • Encrypts itself to avoid detection.
• Each infection uses a different cryptographic key.
Worm • A standalone virus that detaches itself from the original infection.
• Self-propagates; not dependent on any particular file to exist.
Hoax • Not an actual virus.
• Nuisance email sent to warn people of non-existent threats.
• Can generate excessive traffic and clog email systems.
Logic Bomb • Malware that lays dormant until triggered by a date or event.
• Automatic detonation.
Trojan Horse • Malicious program hidden inside a legitimate application.
• Executes in the background when the host application executes.
Botnet • Collection of Internet-connected devices (zombies) that are infected with
malware.
• Devices controlled as a group without their owners’ knowledge by a
command and control system run by the attacker.
• Typically used to mine cryptocurrency, conduct DDoS attacks, steal data, and
send spam.

Spyware • Hides on your device, monitoring activity and stealing sensitive information
such as bank details and passwords.
Adware • Software that automatically downloads and displays advertising material
while the user is online.
• Material is often unwanted, and can contain malicious links or content.
Zero Day Attack • New, as yet undiscovered attack for which there is no specific defense.

Reduction Analysis
• Seeks to avoid duplicated defense efforts by finding common root vulnerabilities.
• By addressing common root problems, you can find the most cost-effective way to
mitigate the risk.

• Basic categories of remediation:
• Good security policy and management commitment to security.
• Fix vulnerable code.
• Properly configure systems.
• Change business processes.
• Improve security culture through training and awareness.
• Effective threat remediation involves all personnel working together.
• Implementing of technical controls and management of good business processes.
• Various security departments should coordinate in remediation efforts.
• Remediation policy should reflect risk tolerance.
• Strategies and controls should be consistently evaluated for their effectiveness.
Threat Remediation

Third-Party Assessments
• Develop an information security assessment plan
• Determine who in your organization is responsible for the assessment
• Determine the requirements for the assessment
• Plan and allocate resources
• If you choose a third-party assessor, evaluate that person or group
• Ensure that your own information security policies and procedures exist first
• Prepare documents and report templates that will be used
• Prepare a nondisclosure agreement
• Allocate the team that will do the information gathering
• Conduct the data collection

• Escort the individual when onsite.
• Monitor virtually via screen capture or webcam.
• Require a non-disclosure agreement.
• Investigate security screening procedures of job agency.
• Require third-party identification and perform onsite verification.
Contractors

Balance the expectation of privacy with enforcing security policies.
Policy Compliance and Privacy

• Employees are the weakest link in security.
• Help employees understand:
• Risks
• Impact for company and themselves
• Security policies and procedures
• Focus on attitude, motivation, and attention.
Security Awareness

Security Training
• A clearly defined target audience.
• Training objectives mapped to desired increases in on-the-job
security practices.
• Training outcomes that can be quantified and measured.
• Variations and customizations for different job roles and levels.
• Provisions for updates and refresher training sessions.

• Process of allowing only authorized entities to observe/modify/take possession of a
computer system or physical property.
• Subject – entity requesting access:
• Person.
• System.
• Process.
Access Control
• Object – entity being accessed – any resource.
• Limits subject’s access to object using predefined rules/roles/labels.
Subjects Objects

Types of Access Control Services
Access Control Service Description
Identification and
Authentication (I&A)
• Provides unique identifier for each authorized subject attempting to access
the object.
• Includes method or methods to ensure identity of subject (authentication).
• Typically administered with Identity Management System and support of a
directory.
Authorization • Determines the capabilities or rights of the subject when accessing the
object.
Audit • Creates a log or record of system activities.
Accountability • Reports and reviews the contents of log files.
• Each subject identifier must be unique to relate activities to one subject.

Identity and Access Provisioning Lifecycle
Provisioning
Review
Revocation/
Deprovisioning

• Start with administrative policies.
• Reinforce with technical policies.
• All passwords must be at least seven characters long using three different types of
characters.
• A user's identity must be verified before IT staff can reset that person's password.
• Process to suspend/deactivate user account in case of termination/compromise/infection.
• Inactive user accounts must be disabled after 60 calendar days.
• User account will be locked out for 15 minutes after three bad logon attempts.
• Users can’t have local administrative privileges on their computer unless approved by
manager.
• Existing local administrative privilege will be reviewed annually.
• All administrator accounts must use two-factor authentication to log on to the network.
• All workstations must implement a screen lock after 15 minutes of inactivity.
• Access to administrator systems must be reviewed annually.
• IT staff may not use administrator accounts for general purpose.
Access Control Policies (Slide 1 of 2)

• Reinforce with technical policies (Cont.)
• Vendor and contractor access list to be approved, monitored, and limited to the length of
the contract.
• Default administrator passwords must be changed before the system goes into production.
• Default ports for administrator access must be changed when possible.
• Administrative access cannot be accomplished through a public interface.
• Each new user account will receive a unique first-time password that must be changed
upon first use.
• Any reset passwords must be set to unique value for each user and changed upon first use.
Access Control Policies (Slide 2 of 2)

Facilities Access
Logical Access Concern Mitigation
Electronic intrusion into network. • Establish logical perimeter.
Hijacking networked utilities/industrial control
system.
• Harden network utilities with strong
authentication/authorization.
Remote tampering of networked physical access
mechanisms.
• Continuous monitoring of access granted by
networked mechanisms.
Physical Access Concern Mitigation
Unauthorized people entering facility. • Establish physical perimeter.
• Use guards, entrance/exit checkpoints.
Unauthorized people attempting to enter facility. • Security cameras.
Unrestricted access to all areas within facility. • Create physical security zones within building.
• Use guards or doors requiring ID card.

Systems Access
Attacker access to configuration consoles. • Administrator configuration of systems.
• Change default administrator password.
Remote access to a critical system by an attacker. • Establish authentication and authorization in
remote services.
Physical damage to server. • Segment servers behind closely guarded rooms.
Physical damage to networking equipment. • Equipment lockers.

Device Access
Attacker accessing the configuration console. • Strong user name/passwords.
• Change default passwords.
Unrestricted access to workstations. • Require authentication/authorization
mechanisms.
Age of device mobility and BYOD (often pass
beyond perimeter).
• Implement mobile device management.
• Require PIN use.
Device theft. • Physical locks on devices.
Device loss. • Locking up phones/tablets.
• Require PIN use.
Unmonitored access to background wireless
connections.
• Turn off Bluetooth, NFC, geo-locating unless
required.

Information Access
Databases with sensitive information are prime
targets.
• Isolate database from rest of network.
• Use authentication/authorization mechanisms.
Inability to determine who is using remote
connections.
• Implement remote authentication protocols.
All accounts allow full access to data. • Set up varied levels of access permissions.
Attackers simply walking out with a bunch of
servers.
• Lock and monitor server rooms/data centers.
Hard copies of sensitive information. • Keep hard copies in locked file cabinets/safes.

• Or “authentication by possession.”
• Device that must be physically present to be used for access.
• Theft of device:
• Prevents access for authorized user.
• May allow access by unauthorized user.
• Often used together with a PIN/password for two-factor authentication.
Something You Have
PIN
Password
User Information
Unique Value
Two-factor authentication

• Or “authentication by characteristic.”
• Uses personal attributes:
• Fingerprints.
• Hand geometry.
• Retina scans.
• Iris scans.
• Facial recognition
• Voiceprints.
Something You Are
Fingerprint Scanner

Types of Biometric Devices
Physiological Device Description
Fingerprint • Capturing and comparing fingerprints of the individual with previously
captured fingerprints.
Hand geometry • Comparing the hand structure of an individual to a previously captured hand
structure.
Iris scan • Comparing the patterns of the colored part of the eye to previously captured
iris images.
Retina scan • Comparing blood vessel patterns in the back of the eye to previously captured
patterns.
• Can be affected by pregnancy, diabetes, and diseases of the eye.
Facial recognition • Comparing the facial structure to a previously captured facial structure.
• Can be applied individually and to crowds.
Voiceprint • Comparing a spoken phrase to a registered phrase previously spoken by the
individual.
Keystroke recording • Capturing the unique way individual users would type a common phrase.
Touch screen movement • Capturing the unique way individual users manipulate touch screen interfaces.
Signatures • Capturing speed, acceleration, and pressure applied while signing a pressure
sensitive interface and comparing it to previously captured information.

Multi-Factor Authentication

• Describes entity’s capabilities once identified and authenticated.
• What can user/system access?
• What can user/system change?
• What can user/system execute?
Authorization

• A single instance of identification and authentication applied to resources.
• Permissions won’t change for duration of session.
• Lock session:
• Timeouts.
• Screensavers.
Session Management

Federated Identity
Single identity linked across many different identity management systems.
Microsoft
Account

• Centralized authentication system.
• Provides consistent/scalable mechanism to control access:
• Applications.
• Services.
• Systems.
• Common examples:
• X.500.
• LDAP.
• Active Directory.
Directory Services
Authentication
Centralized
Administration

LDAP
LDAP Client
LDAP Server
LDAP Client
Signed certificate
Trusted session

• Microsoft’s LDAP-compatible directory implementation.
• Structures objects within an organization into a hierarchy.
• Allows administrators to centrally manage access using access control lists.
• Can subdivide the domain into organizational units.
Active Directory

Kerberos
Ticket
Ticket
User passes credentials to
an authentication server

The Kerberos Process
1. I (user) need to authenticate and I need a ticket.
2. Here is a TGT.
3. Here is my TGT; now I need an ST.
4. Here is your ST.
5. Here is my ST secure connection to the File Server.
6. Resource authenticates user and allows access via a secure connection.
File Server
Key Distribution
Server
Authentication Server
Ticket Granting Server
1 2
3
4
5
6
User

SSO
• Allows a user to authenticate once and receive access to a number of related but
independent software systems.
• SSO often considered a subset of Identity Federation.
• Benefits:
• Compromised credentials quickly regained by single action.
• Central server minimizes burden of logging in and monitoring user logins.
• Easy to use because only have to remember one password.
• Security considerations:
• Compromise of single set of credentials allows access to multiple systems.
• If authentication servicer becomes unavailable, the entire system might become
unavailable.
• Need multiple levels of authentication to ensure secure SSO system.
Email
File Server

• Internet standard protocol for centralized remote access authentication,
authorization, and auditing services.
• Configure RADIUS using a number of authentication protocols:
• Password Authentication Protocol (PAP).
• Challenge Handshake Authentication Protocol (CHAP).
• Extensible Authentication Protocol (EAP).
• Protected Extensible Authentication Protocol (PEAP).
• Lightweight Extensible Authentication Protocol (LEAP).
• Diameter authentication protocol that improves on RADIUS:
• Failover mechanism because TCP-based.
• Requires IPSec and TLS.
• Use not as widespread as RADIUS because fewer products available.
RADIUS

Cryptography
Unprotected
Data
Encryption
Protected
Data

Encryption and Decryption
Encryption Ciphertext
Plaintext
Ciphertext Decryption Plaintext

• Rule/system/mechanism used to encrypt data.
• Also known as an encryption algorithm.
• Stronger, more complex algorithm = more difficult to break.
Ciphers
Original
Information
Cipher
Encrypted
Information

Key Clustering
Original Information
Cipher
U@5 U@5

• Steganographic techniques include:
• Hiding information in blocks.
• Hiding information within images.
• Invisibly altering structure of a digital image.
Steganography
Vessel Image
Secret Data
Steganographic
Image

Symmetric Encryption
Encrypts Data Decrypts Data
Same Key on Both Sides

• Data Encryption Standard (DES)
• Triple DES (3DES)
• Advanced Encryption Standard (AES)
• Blowfish
• Twofish
• IDEA
• Skipjack
• Rivest Cipher (RC) 4, 5, and 6
Symmetric Encryption Algorithms

• Symmetric encryption benefits:
• Good performance
• Well suited to encrypt both data at rest and data in transit.
• The greatest challenge is key management.
• Both parties must agree upon the key ahead of time.
• If the key gets compromised, all files and communications encrypted with that key have
also been compromised.
• A new key must be issued, with both parties again communicating ahead of time to agree
upon the key.
Symmetric Encryption Considerations

Asymmetric Encryption
Public Key Encrypts Private Key Decrypts

• Rivest Shamir Adelman (RSA)
• Diffie-Hellman (DH)
• Elliptic Curve Cryptography (ECC)
• Diffie-Hellman Ephemeral (DHE)
• Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
• ElGamal
• Digital Signature Algorithm (DSA)
• Knapsack
Asymmetric Encryption Techniques

Asymmetric Algorithm Comparison Chart
Asymmetric
Algorithm
Based On Common Use
RSA Factors (products of large prime numbers) Digital certificates, digital signatures
DH Handshake Key exchange
ECC Elliptic curves Smart cards, wireless, realtime
communications
ElGamal DH OpenPGP, GnuGPG
DSA Modular exponentiation and the discrete
logarithmic problem
FIPS-compliant digital signatures
Knapsack Mathematical knapsack problem Early public key-based encryption

• Asymmetric encryption is generally stronger than symmetric encryption.
• More flexible key management.
• Asymmetric algorithms have significantly lower performance than symmetric
algorithms.
• Asymmetric algorithms are used to encrypt only short amounts of data such as
another encryption key.
• It is very common to use a combination of both methods.
• The biggest issue, besides performance, is the liability a person incurs if they lose
their private key.
• The private key should never be exposed.
• It is always stored in a non-paged part of kernel memory.
• If you put it on a smart card or other removable media, you must encrypt it (typically with a
password or other symmetric key).
• If someone steals your private key, they could impersonate you, getting you into legal
trouble.
• Compromised keys should immediately be revoked and reissued.
Asymmetric Encryption Considerations

Hashing
Message
This is a secret
Hash
Hash Function
Hashing is one-way encryption
508FF7A91DB0A80A1
3151F786FBB6E43

• MD2
• MD4
• MD5
• HAVAL
• SHA
• NTLM versions 1 and 2
• RIPEMD
• HMAC
Hashing Algorithms

Salting the Hash
• Adding a random number to the input of a hashing function to create unique hash
values.
Message
Secret
Hash
Hash Function
1

Cybertopic_1security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cybertopic_1security

Similar to Cybertopic_1security (20)

More from Anne Starr

More from Anne Starr (20)

Recently uploaded

Recently uploaded (20)

Cybertopic_1security