Topic11

FOUNDATION
IN
CYBER SECURITY
Security Threats and Controls
Cryptography and Access Control

Trainer Profile
LEO LOURDES
(MBA IT Management, BoM Hons. HRM)
Implementer of ISO 20000-1:2011
Certified in COBIT® 5
Certified in ISO 9001 Auditor (PECB)
Certified in PRINCE2® in Project Management
Certified in ITIL® Practitioner
Certified in ITIL® Intermediate Certificate in IT Service Operation
Certified in ITIL Information Security based on ISO/IEC 27002
Certified in ITIL for Cloud Computing
Certified in ITIL IT Service Management
Certified in Coaching and Calibration Skills for Call Center
Certified in Delivering Learning / Teaching by City & Guilds, United Kingdom
wecare@thinkleosolutions.com
+6012-311 6457 / +6016-349 1793
Experience:
Management Representative (MR) ISO 20000-1: 2011
IT Service Management (Incident, Problem, Change) Manager
Security, Compliance & Risk Management
Senior CRM Delivery Analyst
Certified Trainer
Certified IT Auditor & Consultant

The CIA Triad
Availability
Copyright © 2019 Logical Operations, Inc. All rights reserved.

Common Security Terms (Slide 1 of 2)
Term Definition
Asset Anything of value that could be compromised, stolen, or harmed, including
information, systems, personnel, physical resources, and reputation.
Threat Any event or action that could potentially cause damage to an asset or an
interruption of services.
Threat actor A person, group, or other entity that could potentially attack, damage, or
otherwise compromise a system or resource.
Vulnerability A condition that leaves the system and its assets open to harm—including
such things as software bugs, insecure passwords, inadequate physical
security, poorly designed networks, or insufficient user training and
awareness.
Exploit A technique that takes advantage of a vulnerability to perform an attack.
Risk The likelihood of a threat occurring, as well as its potential damage to
assets.
Control A countermeasure that you put in place to avoid, mitigate, or counteract
security risks due to threats or attacks; also known as a safeguard.

Common Security Terms (Slide 2 of 2)
Term Definition
Attack The active attempt by a threat actor to break into and exploit a vulnerable
system, data, or other resource.
Breach The result of a successful attack. Can include theft, destruction, or loss of
availability of data, a system, or other resources.
Exposure The level, usually expressed in percentage, to which a resource is at direct
risk of attack.
Social engineering The practice of using deception and trickery against human beings as a
method of attack.
Defense in depth The practice of providing security in multiple layers for more
comprehensive protection against attack.

• Methods of exercising control and management over an organization.
• Seeks to mitigate security risk.
• Turns a reactionary security culture into a proactive one.
• Supports business objectives to minimize cost and disruption.
• A major objective is compliance.
• Compliance assures that the organization operates within regulatory requirements.
Security Governance

Organizational Governance Structure
Board of Directors/CEO
CISO
Security Department
Management
Staff

• Structure of an organization can impact its security.
• Who is responsible for what? Who do they report to?
• Different levels responsible for different security requirements and tasks.
The Organizational Culture's Impact on Security

• Security professionals must advise decision makers based on risk.
• Cost prohibits 100% security.
• Tosupport business constraints:
• Assess risk and determine needs.
• Implement policies and controls to mitigate risk.
• Promote awareness of expectations.
• Monitor and evaluate effectiveness of the controls.
• Use as input in next risk assessment.
• IT is the business, and the business is IT.
• Not separate function; integral to the business.
• Business makes money from IT platform.
• Recognize mutual nature of security and business.
Security and Business Alignment

Roles and Responsibilities (Slide 1 of 2)
Role Responsibility
End Users • Protect information on a daily basis.
• Adhere to security policies.
• Be mindful of everything they do.
• Report security issues.
Administrative Assistants • First line of defense against social engineering.
• Screen phone calls for executives.
Help Desk/Service Desk
Administrators
• Answer user questions about system problems.
• Help desk calls may indicate security issues.
Physical Security • First line of defense regarding physical location of assets.
• Can work with external law enforcement.
• Role may be integrated with information systems security.
Information Systems/IT
Professionals
• Design security controls into information systems.
Information Systems
Security Professionals
• Inform executive management of security concerns and suggest solutions.

Roles and Responsibilities (Slide 2 of 2)
Role Responsibility
Information Systems
Auditors
• Determine whether systems and personnel are in compliance.
• Check configuration and design, implementation and operation of systems.
Business Continuity
Planners
• Develop contingency plans to prepare for incidents.
Data/Information
Custodians
• Implement access control levels based on data owner’s specifications.
• Back up data to ensure recovery after loss or corruption.
Data/Information/
Business Owners
• Classify data.
• Determine level of access to data.
Security Administrators • Manage access to information systems.
• Keep logs of all requests for access.
• Provide logs to auditor.
Network/Systems
Administrators
• Keep network infrastructure running to ensure availability.
• Physically implement access controls to data.
Executive Management • Protect information assets of organization.
• May include Chief Information Officer (CIO).
• May also include Chief Information Security Officer (CISO)

Security Goal Categories
Goal Description
Strategic • Align with business and information technology goals.
• Long horizon (3-5 years or more).
• Ex: establish security policies and ensure all users understand
responsibilities.
Tactical • Provide broad initiatives necessary to support goals of strategic plan.
• May consist of multiple projects.
• Usually 6-18 month time period.
• Ex: implement disaster recovery programs and customer relationship
management.
Operational • Specific short-term goals.
• Put tactical plan into practice.
• Ensure that individual projects are completed with milestones.
• Ex: perform project-wise risk assessment and development of security
policies.

• Security professionals must understand all laws that apply to their organization.
• Specific conditions must be met in certain cases.
• Identify any safe harbors that could help the organization avoid penalties.
• Safe harbors are practices or actions that are deemed not to be in violation of the law.
• Policies and other documentation should be consistent with applicable laws and
regulations.
• There are different types of laws; not all laws are regulatory in nature.
Legislative and Regulatory Compliance

Computer Crime
Government
Database
Classified Information
Attack

Data Breach
• An incident that results in release or potential
exposure of secure information.
• Can be true test of legal compliance.
• If organization performs due care to comply with laws,
breach’s effects may be mitigated.
• Organization can also avoid severe legal penalties.
• Especially a concern with privacy laws, as many
breaches expose customer PII.
• Consequences for compliance failure are magnified
under a breach.
• Most laws require timely notification in the event of a
breach.

Industry Standards (Slide 1 of 2)
IT/Information Security Standard Description
PCI DSS • Specifies how organizations handle information security for major
card brands.
• Compliance validated on annual basis.
• Organizations or merchants that accept, transmit, or store
cardholder data from these brands must comply.
NIST SP 800 series • Various publications establish computer security standards,
including:
• SP 800-12: An Introduction to Computer Security: The NIST
Handbook
• SP 800-14: Generally Accepted Principles and Practices for
Securing Information Technology Systems
• SP 800-33: Underlying Technical Models for Information
Technology Security
• SP 800-53: Security and Privacy Controls in Federal Information
Systems and Organizations

Industry Standards (Slide 2 of 2)
IT/Information Security Standard Description
COBIT 5 Standards for IT management and governance, promoting five
principles:
• Meeting stakeholder needs.
• Covering the enterprise end-to-end.
• Applying a single, integrated framework.
• Enabling a holistic approach.
• Separating governance from management.
ISO/IEC 27001 Focuses on topics in information security management:
• Responsibilities and procedures.
• Reporting information security events.
• Reporting information security weaknesses.
• Assessment of and decision on information security events.
• Response to information security incidents.
• Learning from information security incidents.
• Collection of evidence.

• Lack of documentation creates organizational chaos.
• Documentation provides a framework for people to work together in achieving
organizational goals.
• Security documentation can also act as a road map to governance.
The Value of Security Documentation

Security Document Types
Security Document Type Description
Policy High-level statement of management intentions. Contains purpose, scope, and
compliance expected of every employee.
Example: Information security will ensure the protection of information by
implementing security best practices.
Standard Required implementation or use of tools.
Example: The corporation must implement 802.1x security for all wireless
networks.
Guideline Recommended or suggested action or best practice.
Example: When travelling with laptops, users should use safety precautions to
prevent laptop theft, damage, or data loss.
Procedure Step-by-step description of how to implement a system or process.
Example: Toimplement Secure Shell (SSH) on the router, enter the enable mode
and then enter the appropriate commands for the router.
Baseline Minimum security required for a system or process.
Example: Trivial File Transfer Protocol (TFTP) must be disabled in all servers except
for those specifically used for the TFTP service.

The Relationship Between Security Document Types
Laws and Requirements
Strategic
Tactical
Operational
Standards
Mandatory
implementation
Guidelines
Recommended actions
Procedures
Step-by-step
instructions
Baselines
Consistent comparison
points
Policies
Statement of management
intentions
Policy Types:
• Advisory
• Informative
• Regulatory

• Comprehensively identify all assets in the organization.
• Waiting until it’s too late will make it harder to recover an asset.
• If you don’t identify an asset, you may not even know when it’s compromised.
• Describe assets in terms of:
• Basic characteristics.
• Value to the company.
• Use on a daily basis.
• Replaceability.
Asset Identification

• What effort was required to develop or obtain it?
• What does it cost to maintain and protect it?
• How much will we lose in operational functionality if the asset is misplaced or
damaged?
• What would it cost to replace it?
• What enemies might pay for it?
• What liability penalties might occur if the asset is compromised?
Asset Valuation

Identify Threats
Threat Type Description
Natural disasters • Earthquakes
• Wildfires
• Flooding
• Excessive snowfalls
• Tsunamis
• Hurricanes
• Tornados
• Landslides
Man-made disasters Intentional:
• Arson
• Terrorist attacks
• Political unrest
• Break-ins
• Theft of equipment and/or data
• Equipment damage
• File destruction
•Information disclosure
Unintentional:
• Employee mistakes
• Power outages
• Excessive employee illnesses or epidemics
• Information disclosure

Control Selection Criteria
• Selection criteria:
• Cost effectiveness
• Risk reduction
• Practicality
• Additional details to consider:
• Can the control be audited?
• Is the control from a trusted source?
• Can the control be consistently applied?
• Is the control reliable?
• Is the control independent from other controls?
• Is the control easy to use?
• Can the control be automated?
• Is the control sustainable?

• Administrative
• Covers personnel security, risk management, training, permissions, etc.
• Physical
• Limit a person’s physical access to assets or facilities, using locks, doors, fences, etc.
• Example: Infrared monitoring system can detect the presence of an intruder.
• Technical
• Also known as logical controls.
• Implemented in computing environments like operating systems, applications, databases,
network devices, etc.
• Prefer physical or technical controls, as administrative controls require manual
enforcement.
Control Types
User
***
Administrative Physical Technical

• Not just simple pass-fail results or generating paperwork for an audit.
• Well-executed assessment determines validity and effectiveness of controls.
• Can expose strengths and weaknesses of current systems.
• Helps identify a plan for correcting weaknesses.
Monitoring and Measuring

• Ongoing effort to optimize policies and processes.
• A function of risk management.
• Includes best practices:
• Continuously seek to discover new vulnerabilities.
• Be context aware in your risk analysis.
• Prioritize your efforts to vulnerabilities
that actually pose a significant risk.
• Determine patchability.
Continuous Improvement

Threat Types (Slide 1 of 2)
Cryptojacking • Unauthorized use of someone else's computing device to mine cryptocurrency.
• Devices can include computers, phones, routers, IoT devices.
Advanced Persistent Threat
(APT)
• Stealthy attack.
• Intruder remains undetected for a lengthy period of time.
• Usually sponsored by nation states or organizations that have considerable
resources.
Phishing and social
engineering
• Attackers use psychological tactics to manipulate victims into disclosing
information or performing an action that they shouldn’t.
• Phishing is the most common form.
• Uses email with malicious attachments or links.
Insider threat • Disgruntled employees and others with internal access.
• Use their access privilege or knowledge to steal data or damage systems.
• Can also be accidental/unintentional.
Malware • Any software intended to damage a computer system.
• Can be distributed through email, websites, file sharing, social media, even
legitimate published software.
• Includes viruses, worms, Trojans, keyloggers, rootkits, bootkits, ransomware,
spyware, etc.

Threat Types (Slide 2 of 2)
Denial of service • Any attack that consumes computer or network resources so the system
cannot service legitimate client requests.
• Can be conducted against:
• Network
• CPU
• RAM
• Disk space
• Maximum allowed connections
Unauthorized network
access
• Deliberate or accidental.
• Normal security controls are bypassed.
Injection and Cross-Site
commands
• Malicious commands hide inside normal browser activity.
• Includes command and SQL injection, XSS, and XSRF.
Session Hijacking/
Man-in-the-Middle
• Attacker takes over legitimate network connection, often after user has
authenticated.

• Employees are the weakest link in security.
• Help employees understand:
• Risks
• Impact for company and themselves
• Security policies and procedures
• Focus on attitude, motivation, and attention.
Security Awareness

Security Training
• A clearly defined target audience.
• Training objectives mapped to desired increases in on-the-job
security practices.
• Training outcomes that can be quantified and measured.
• Variations and customizations for different job roles and levels.
• Provisions for updates and refresher training sessions.

• Process of allowing only authorized entities to observe/modify/take possession of a
computer system or physical property.
• Subject – entity requesting access:
• Person.
• System.
• Process.
Access Control
• Object – entity being accessed – any resource.
• Limits subject’s access to object using predefined rules/roles/labels.
Subjects Objects

Types of Access Control Services
Access Control Service Description
Identification and
Authentication (I&A)
• Provides unique identifier for each authorized subject attempting to access
the object.
• Includes method or methods to ensure identity of subject (authentication).
• Typically administered with Identity Management System and support of a
directory.
Authorization • Determines the capabilities or rights of the subject when accessing the
object.
Audit • Creates a log or record of system activities.
Accountability • Reports and reviews the contents of log files.
• Each subject identifier must be unique to relate activities to one subject.

Identity and Access Provisioning Lifecycle
Provisioning
Review
Revocation/
Deprovisioning

Facilities Access
Logical Access Concern Mitigation
Electronic intrusion into network. • Establish logical perimeter.
Hijacking networked utilities/industrial control
system.
• Harden network utilities with strong
authentication/authorization.
Remote tampering of networked physical access
mechanisms.
• Continuous monitoring of access granted by
networked mechanisms.
Physical Access Concern Mitigation
Unauthorized people entering facility. • Establish physical perimeter.
• Use guards, entrance/exit checkpoints.
Unauthorized people attempting to enter facility. • Security cameras.
Unrestricted access to all areas within facility. • Create physical security zones within building.
• Use guards or doors requiring ID card.

Systems Access
Attacker access to configuration consoles. • Administrator configuration of systems.
• Change default administrator password.
Remote access to a critical system by an attacker. • Establish authentication and authorization in
remote services.
Physical damage to server. • Segment servers behind closely guarded rooms.
Physical damage to networking equipment. • Equipment lockers.

Device Access
Attacker accessing the configuration console. • Strong user name/passwords.
• Change default passwords.
Unrestricted access to workstations. • Require authentication/authorization
mechanisms.
Age of device mobility and BYOD (often pass
beyond perimeter).
• Implement mobile device management.
• Require PIN use.
Device theft. • Physical locks on devices.
Device loss. • Locking up phones/tablets.
• Require PIN use.
Unmonitored access to background wireless
connections.
• Turn off Bluetooth, NFC, geo-locating unless
required.

Information Access
Databases with sensitive information are prime
targets.
• Isolate database from rest of network.
• Use authentication/authorization mechanisms.
Inability to determine who is using remote
connections.
• Implement remote authentication protocols.
All accounts allow full access to data. • Set up varied levels of access permissions.
Attackers simply walking out with a bunch of
servers.
• Lock and monitor server rooms/data centers.
Hard copies of sensitive information. • Keep hard copies in locked file cabinets/safes.

• Or “authentication by possession.”
• Device that must be physically present to be used for access.
• Theft of device:
• Prevents access for authorized user.
• May allow access by unauthorized user.
• Often used together with a PIN/password for two-factor authentication.
Something You Have
PIN
Password
User Information
Unique Value
Two-factor authentication

• Or “authentication by characteristic.”
• Uses personal attributes:
• Fingerprints.
• Hand geometry.
• Retina scans.
• Iris scans.
• Facial recognition
• Voiceprints.
Something You Are
Fingerprint Scanner

• A single instance of identification and authentication applied to resources.
• Permissions won’t change for duration of session.
• Lock session:
• Timeouts.
• Screensavers.
Session Management

Federated Identity
Single identity linked across many different identity management systems.
Microsoft
Account

• Centralized authentication system.
• Provides consistent/scalable mechanism to control access:
• Applications.
• Services.
• Systems.
• Common examples:
• X.500.
• LDAP.
• Active Directory.
Directory Services
Authentication
Centralized
Administration

SSO
• Allows a user to authenticate once and receive access to a number of related but
independent software systems.
• SSO often considered a subset of Identity Federation.
• Benefits:
• Compromised credentials quickly regained by single action.
• Central server minimizes burden of logging in and monitoring user logins.
• Easy to use because only have to remember one password.
• Security considerations:
• Compromise of single set of credentials allows access to multiple systems.
• If authentication servicer becomes unavailable, the entire system might become
unavailable.
• Need multiple levels of authentication to ensure secure SSO system.
Email
File Server

Cryptography
Unprotected
Data
Encryption
Protected
Data

Encryption and Decryption
Encryption Ciphertext
Plaintext
Ciphertext Decryption Plaintext

• Rule/system/mechanism used to encrypt data.
• Also known as an encryption algorithm.
• Stronger, more complex algorithm = more difficult to break.
Ciphers
Original
Information
Cipher
Encrypted
Information

Key Clustering
Original Information
Cipher
U@5 U@5

• Steganographic techniques include:
• Hiding information in blocks.
• Hiding information within images.
• Invisibly altering structure of a digital image.
Steganography
Vessel Image
Secret Data
Steganographic
Image

Symmetric Encryption
Encrypts Data Decrypts Data
Same Key on Both Sides

• Symmetric encryption benefits:
• Good performance
• Well suited to encrypt both data at rest and data in transit.
• The greatest challenge is key management.
• Both parties must agree upon the key ahead of time.
• If the key gets compromised, all files and communications encrypted with that key have
also been compromised.
• A new key must be issued, with both parties again communicating ahead of time to agree
upon the key.
Symmetric Encryption Considerations

Asymmetric Encryption
Public Key Encrypts Private Key Decrypts

• Rivest Shamir Adelman (RSA)
• Diffie-Hellman (DH)
• Elliptic Curve Cryptography (ECC)
• Diffie-Hellman Ephemeral (DHE)
• Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
• ElGamal
• Digital Signature Algorithm (DSA)
• Knapsack
Asymmetric Encryption Techniques

• Asymmetric encryption is generally stronger than symmetric encryption.
• More flexible key management.
• Asymmetric algorithms have significantly lower performance than symmetric
algorithms.
• Asymmetric algorithms are used to encrypt only short amounts of data such as
another encryption key.
• It is very common to use a combination of both methods.
• The biggest issue, besides performance, is the liability a person incurs if they lose
their private key.
• The private key should never be exposed.
• It is always stored in a non-paged part of kernel memory.
• If you put it on a smart card or other removable media, you must encrypt it (typically with a
password or other symmetric key).
• If someone steals your private key, they could impersonate you, getting you into legal
trouble.
• Compromised keys should immediately be revoked and reissued.
Asymmetric Encryption Considerations

Hashing
Message
This is a secret
Hash
Hash Function
Hashing is one-way encryption
508FF7A91DB0A80A1
3151F786FBB6E43

Salting the Hash
• Adding a random number to the input of a hashing function to create unique hash
values.
Message
Secret
Hash
Hash Function
1

Topic11

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Topic11

Similar to Topic11 (20)

More from Anne Starr

More from Anne Starr (20)

Recently uploaded

Recently uploaded (20)

Topic11