cybersecurity - best practices,concepts & case study (mindmap)

Download CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)

Post on 10-Feb-2017




0 download

Embed Size (px)


  • 1 | P a g e

    A) Definition:

    Cybersecurity Domain is a collection of best practices,Technologies,Frameworks & Standards to protect an enterprise,organization ,Govt

    entities,Military establishment,Individual user from global cyber threats(Theft Identity,Cybertheft,Cyber-ransom,Infrastructure damage)

    resulting in either Financial,Economical,Copyright Information,Personal identity,Infrastructure loss.

    B) Well known Cybersecurity Risk Standards & Frameworks:

    NIST Cybersecurity Framework

    ISO 27001 (Information Security Management Framework)


    NIST SP800-53

    NIST SP800-30

    ISA 62443

    ISO 27005

    C) Establishment and acceptance of the Cybersecurity Standards:

    The Cybersecurity standards were first adopted in the Seoul (South Korea) Conference on Global Cybersecurity in 2013

    D) Cybersecurity Tactics (Holistic View):

    Manage physical access to IT Infrastructure

    Manage sensitive documents and output Devices

    Monitor the Infrastructure for security related Events

    Protect against Malware (*** Most challenging and difficult aspect of Cybersecurity)

    Manage Network and Connectivity security

    Manage User Identity and logical access

    E) Cybersecurity Lifecycle:

    The Cybersecurity Lifecycle can be described aptly by the below (Figure-1) which decomposes the various stages

    CyberSecurity Concepts & Best practices (MIND MAP)

  • 2 | P a g e

    Risk Actions: The most generally accepted Actions on Risk Management are - (1) Risk Acceptance (2) Risk Transfer (3) Risk Avoidance (4) Risk

    Mitigation) Depending on Risk Appetite/Risk Tolerance threshold of an Organisation

    (1) Identify Business

    outcomes (2)Understand Vulnerabilities


    (3)Create current profile

    (4)Conduct Risk


    (5)Apply Controls

    (6)Create Target profile


    & prioritize gaps

    (8)Implement plan

    (9)Report to stakeholders

    (10)Continuous monitoring

    Cyber security Lifecycle

  • 3 | P a g e

    F) Threat to Cyberdefense: The damage caused by threats to Cyberdefense can be characterized by loss of Confidentiality, Integrity or

    availability (CIA), the basic model of Data Security as practiced in ISO27001/27002 and other globally accepted standards

    G) Lockheed Martin - Hacker Kill Chain:

    The USA Aeronautics Major Lockheed Martin Kill Chain methodology describes seven steps from reconnaissance through actions on the

    objectives and recommends defenses be designed to align with each of the seven steps in the process:

  • 4 | P a g e

    1. Reconnaissance:

    Finding the Host,Internet Website,Domain

    Do IP Address Scan of the Business Domain

    Do Port Scan of the Active hosts

    Automated scanning by Botnets (Compromised Systems)

    Locate Network Topology and identify potential access control Devices

    Tools: Traceroute,Visualroute,Netscan Tools,pinger,fping,Superscan,Nmap,Languard etc

    2. Weaponization:

    Identify the Vulnerability

    Initiate the Attack

    Coupling a remote access Trojan(RAT) with an Exploit into a deliverable payload,typically by means of an automated tool

    (The commonly used weaponizer are Adobe PDF and Microsoft Office documents)

    Tools: Nmap,Nessus,WebInspect,ISS Internet Scanner,Retina etc

    3. Delivery:

    Transmission of Weapon to the targeted environment

    Three most prevalent delivery vectors for weaponzied payloads are Emails,Compromised Web Sites & USB removal media

    4. Exploitation:

    Email,Website &USB explore a Vulnerability on launch and Hacket gets remote access to admin Shell

    Exploitation targets Operating System or Application vulnerability

    5. Installation:

    Install Malware(Malicious Code) into Memory,Disk or Operating System Kernel,modify windows registry,modify Unix Kernel

    Allow installation of remote access Trojan or backdoor on the victim system

    6. Command & Control (C2):

    Compromised system/hosts beacon back to the Master Controller to establish C2 Channel

  • 5 | P a g e

    Hacker gains complete control of the compromised system

    Intruders have hands on the keyboard access to the targeted environment

    7. Action:

    This Activity is data exfiltration that involves collecting,encrypting and extraction information (e,g Deface Website,Steal Credit Card

    Information,Steal Copyright Information,Steal IE passwords,Modify Banking websites,Steal medical records) etc

    H) Popular Cyber Attacks: The most popular Cyber Attacks are listed below


    Attack Type (Code Name) Attack Payload Damage

    1 Phising/Spearphising Emails, Phising Websites Gain Control of System by Intruder

    2 Driveby/Waterhole/Malvertising Phising Websites Gain Control of System by Intruder

    3 Code Injection/Web Shell Vulnerable Website Gain Control of System by Intruder

    4 Key Logging/Session hijacking Malware injection Gain Control of System by Intruder

    5 Pass-the-hash & Pass-the-Ticket Vulnerable Operating System Network Control by Intruder

    6 Malware/Botnet Malware injection Gain Control of System by Intruder

    7 Distributed Denial of Service(DDoS) Streams of Data Packet sent to Host Denial of Service by Host

    8 Identity Theft Vulnerable Operating System Loss of Personal Data(Credit Card No,Social Security No, Medical Records)

    9 Industrial Espionage APT (Advanced Persistent Threat) Malware

    Loss of Confidential/Copyright Information

    10 Ransomware Ransomware Malware No access to File shares/Directories

    11 Bank Heist Vulnerable Operating System Gain Control of System by Intruder

    12 Sabotage Emails,USB Media,Websites Infrastructure Damage

    13 Infestation/Whack-a-Mole Malware injection Breach of Confidentiality,Integrity,Availability to the Network

    14 Burndown Vulnerable OS,Application,Database Infrastructure Damage

    15 Meltdown Vulnerable OS,Application,Database Enterprise Infrastructure Damage

    16 Defamation Social Engineering Personal Data Loss

    17 Graffiti Vulnerable Website Defacing of Website

  • 6 | P a g e

    I) Some Famous Cyber Hacks in History:


    Hack Code Name

    Attack Payload



    1 CD-Universe Hack OS & Application Vulnerability Stolen Credit Card Numbers(Data Breach)


    2 DDOS (Distributed Denial of Service) -Yahoo & CNN

    Packet Stream to Host Web Site (Port 80) Denial of Service (DoS) 2000

    3 Nimda Virus Trojan weaponization through IIS exploits,Email,HTTP Browsing,Windows Network neighborhood

    Denial of Service (DoS) 2001

    4 Sony Pictures DDOS BOTNET Network Distributed Denial of Service (DDoS)

    5 QAZ Worm Hack Microsoft (USA) Trojan weaponization through IIS exploits,Email,HTTP Browsing

    Denial of Service(DoS) 2000

    6 Egghead Crack (Popular Ecommerce Site) OS & Application Vulnerability Stolen Credit Card Numbers(Data Breach)


    7 Global DDoS(Network Time Protocol Reflection Attack)

    BOTNET Network NTP Protocol Distributed Denial of Service (DDoS)


    8 Anthem (USA) Data Breach OS & Application Vulnerability Stolen Medical Records 2015

    9 State Attack Political (Cyber Sabotage) APT - Stuxnet Malware Infrastructure Damage to Iran Nuclear Facilities by USA & Israel


    10 State Attack Political ( Cyber Espionage) E-Mail attachments Stolen Confidential Data by China Hackers (Titan Rain) in Pentagon


    J) Type of Hackers (Profile):

    - Individual Hacker, State Sponsored (With Political & Military Agenda) & Cyber Criminals (Organised Mafia)

  • 7 | P a g e

    K) Types of Malware & Protection best practices:

  • 8 | P a g e

    L) Security Operation Center (SOC) key components:

    Lately SOC has become an integral part of any Organisation to protect itself from Cyber attacks and detect/correct/recover from a Cyber

    Incident in the quickest span of time without further damage to its reputation. The critical components of a SOC are described as follows:

    IDS/IPS Infrastructure

    Firewall Infrastructure

    SIEM (Security Information and Event Monitoring System)

    Logging and Alerting mechanism

    Security Incident Processes

    Forensics capability

    User Training & Retention

    Managing Evidence

  • 9 | P a g e

    M) Cybersecurity Architecture: Using Industry best practices and standards the Cyber Security Architecture can be broken down as follows

    N) Defense in Depth:

    This is the most common practice employed by Organisation to create and implement a multilayered approach to Cybersecurity.It is described

    by the following process (Figure -2) and can be implemented at various layers of the Network Infrastructure

    Network Security

    Identity,Authentication and Access Management

    Data Protection and Cryptography

    Monitoring Vulnerability & Patch Management

    High Availablity,Disaster Recovery & Physical protection

    Asset Management & Supply Chain

    Policy,Audit,E-Discover & Training

    Systems Adminstration

    Application Security

    Endpoint,Server & Device Security