cybersecurity fundamentals course - isaca...
TRANSCRIPT
Instructor-Led Course
Cybersecurity Fundamentals
Name
Background
Contact Information
Facilitator Introduction
2
What is your involvement in cybersecurity?
A. Personal interest
B. Consulting
C. Full-time position
D. Dual role
Audience Poll Question
3
How many years of experience do you have
performing cybersecurity?
A. No experience
B. Less than 2 years
C. 2 – 5 years
D. 5+ years
Audience Poll Question
4
Have you ever been personally involved in a
cybersecurity incident?
A. Yes
B. No
Audience Poll Question
5
After completing this course you will be able to:
• Identify key concepts and terminology in
cybersecurity.
• Define the key concepts, roles and domains of
cybersecurity.
• Identify the various types of cybersecurity
architecture.
• Identify the key components of securing networks,
systems and applications and data.
• Identify and incident and outline the phases of
incident response.
• Identify the implications for adaption of evolving
technology.
Course Objectives
6
Topics Covered in This Course
7
Cybersecurity introduction and overview
Cybersecurity concepts
Security architecture principles
Security of networks, systems, applications and data
Incident response
Security implications of the adoption of emerging technologies
Section 1:Cybersecurity Introduction and Overview
1. Introduction and definition of cybersecurity
2. Comparison of cybersecurity and information
security
3. The objectives of cybersecurity
4. Cybersecurity roles and governance
5. Domains of cybersecurity
Topics Covered in This Section
9
Upon completing this section you will be able to:
• Define the key concepts, roles and domains
of cybersecurity.
Section Objectives
10
Topic 1:Introduction to Cybersecurity
“The protection of information assets by addressing threats to information
processed, stored and transported by internetworked information systems.”
What Is Cybersecurity?
12Source: ISACA, Cybersecurity Fundamentals Glossary, ISACA, USA, 2016
Cybersecurity and Other Security Domains
1313
Cyber Crime Cyber Safety
Situational Awareness
14
Knowledge of
information
threats
Understanding
of organizational
environment
Cybersecurity professionals
Level of IT complexity
Network connectivity (internal, third party, public)
Specialist industry devices/instrumentation
Platforms, applications and tools used
On-premise, cloud or hybrid systems
Operational support for security
User community and capabilities
New or emerging security tools
Technological Factors Impacting Security
15
Nature of the business
Risk tolerance and appetite
Security mission, vision and strategy
Industry alignment and security trends
Compliance requirements and regulations
Mergers, acquisitions and partnerships
Outsourcing of services or providers
Business-related Factors Impacting Security
16
Topic 2:Difference Between Information Security and Cybersecurity
Information Security
Focus: Protection of information,
regardless of format, including:
• Paper documents
• Digital and intellectual property
• Verbal or visual communications
Cybersecurity
Focus: Protection of digital assets,
including:
• Network hardware
• Software
• Information processed and stored in
isolated or networked systems
Information Security vs. Cybersecurity
18
RecoverPlan for resilience and the timely repair of compromised capabilities and services.
RespondTake appropriate action after learning of a security event.
DetectImplement activities to identify the occurrence of a cybersecurity event.
ProtectDesign safeguards to limit the impact of potential events on critical services and infrastructure.
IdentifyUse organizational understanding to minimize risk to systems, assets, data and capabilities.
Protecting Digital Assets
19
Topic 3:Cybersecurity Objectives
CONFIDENTIALITYThe protection of information
from unauthorized disclosure
INTEGRITYThe accuracy and completeness of
information in accordance with
business values and expectations
AVAILABILITYThe ability to access information
and resources required by the
business process
Key Information Security Concepts
21
CONFIDENTIALITYThe protection of information from
unauthorized disclosure
Loss Consequences and Preservation Methods
22
LOSS CONSEQUENCES INCLUDE:
• Disclosure of information protected
by privacy laws
• Loss of public confidence
• Loss of competitive advantage
• Legal action against the enterprise
• Interference with national security
• Loss of compliance
PRESERVATION METHODS INCLUDE:
• Access controls
• File permissions
• Encryption
INTEGRITYThe accuracy and completeness of
information in accordance with business
values and expectations
Loss Consequences and Preservation Methods
23
LOSS CONSEQUENCES INCLUDE:
• Inaccuracy
• Erroneous decisions
• Fraud
• Failure of hardware
• Loss of compliance
PRESERVATION METHODS INCLUDE:
• Access controls
• Logging
• Digital signatures
• Hashes
• Backups
• Encryption
Loss Consequences and Preservation Methods
24
AVAILABILITYThe ability to access information and
resources required by the business process
LOSS CONSEQUENCES INCLUDE:
• Loss of functionality and operational
effectiveness
• Loss of productive time
• Fines from regulators or a lawsuit
• Interference with enterprise’s
objectives
• Loss of compliance
PRESERVATION METHODS INCLUDE:
• Redundancy of network, system, data
• Highly available system architectures
• Data replication
• Backups
• Access controls
• A well-designed disaster recovery
plan or business continuity plan
Non-repudiation refers to the concept of ensuring that a message or other
information is genuine.
In cybersecurity, information received must be verified as coming from the actual
sending source indicated.
It is also important that neither sender nor receiver can later deny that they sent or
received the information.
Non-repudiation is implemented through digital signatures and transactional logs.
Non-repudiation
25
Topic 4:Cybersecurity Roles
BOARD OF DIRECTORS
Identifies key assets and verifies that protection levels
and priorities are appropriate
EXECUTIVE COMMITTEE
Sets the tone for cybersecurity management and ensure that
necessary functions, resources and infrastructure are available
and properly utilized
SECURITY MANAGEMENT
Develops security and risk mitigation strategies,
implements security programs and manages incidents
and remediation
CYBERSECURITY PRACTITIONERS
Design, implement and manage processes
and technical controls and respond to
events and incidents
Cybersecurity Roles
27
Topic 5:Cybersecurity Domains
Cybersecurity Concepts
Security Architecture Principles
Security of Networks, Systems,
Applications and Data
Incident ResponseSecurity Implications
and Adoption of Evolving Technology
Cybersecurity Domains
29
Section 1: Cybersecurity Introduction and OverviewReview Question
?
Who is responsible to design, implement and
manage processes and technical controls and
respond to events and incidents?
A. Board of Directors
B. Security Management
C. Executive Committee
D. Cybersecurity Practitioners
Review Question
31
?
Which of the following are the parts of the NIST
framework?
A. Identify, Control, Respond, Recover, Report
B. Identify, Mitigate, Protect, Respond, Recover
C. Control, Mitigate, Deter, Respond, Report
D. Identify, Protect, Detect, Respond, Recover
Review Question
32
?
Which of the following best defines
cybersecurity?
A. The protection of information assets by
addressing threats to information processed,
stored and transported by internetworked
information systems.
B. A device, such as a firewall, used to protect
organization for cyber attacks.
Review Question
33
?
Which of the following statements about
confidentiality is true?
A. Confidentiality is the protection of information
from unauthorized access or disclosure.
B. Confidentiality is the protection of information
from unauthorized modification.
C. Confidentiality ensures the timely and reliable
access to and use of information and systems.
Review Question
34
?
Which of the following is (are) skill(s) that
cybersecurity professionals should have?
A. Critical electronic data processes
B. Signal processing
C. Risk analytics
D. Information system security
E. All the above
Review Question
35
You should now be able to:
• Define the key concepts, roles and domains
of cybersecurity.
Section Summary
36
Section 2:Cybersecurity Concepts
1. Risk management terms, concepts and
frameworks
2. Common attack types and vectors
3. General process and attributes of
cyberattacks
4. Malware
5. Framework and guidance for policies and
procedures
6. Cybersecurity control processes
Topics Covered in this Section
38
Upon completing this section you will be able to:
• Define risk management terms, concepts and
frameworks.
• Identify common attack types and vectors.
• Define the framework and guidance for
policies and procedures.
• Identify cybersecurity control processes.
Section Objectives
39
Topic 1:Risk
Assessing risk is one of the most critical functions of a cybersecurity organization.
Using a risk-based approach to cybersecurity allows informed decision-making,
better protection, and effective application of budgets and resources.
Why a Risk-oriented Approach?
41
This approach simply implements security with no particular rationale or criteria.
It may be driven by vendor marketing, or reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.
Ad hoc
Also known as standards-based security, this approach relies on regulations or standards to determine security implementations.
Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.
Compliance-based
This approach relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.
The risk-based approach is usually scenario-based.
Risk-based
Approaches to Cybersecurity Risk
42
To understand risk and a risk-oriented approach, these key concepts are
important:
• Asset
• Threat Event
• Threat Source
• Vulnerability
• Inherent Risk
• Residual Risk
Key Terms and Definitions
43
Likelihood (or “probability”) measures of frequency of an event’s occurrence.
Calculations of likelihood:
• Depend on whether there is a potential threat and the extent to which the particular
type of event can affect its target (vulnerability).
• Take into account any controls or countermeasures that the organization has put in
place to reduce its vulnerability.
• Are used to calculate the risk that an organization faces based on the number of
events that may occur within a given time period.
Understanding Likelihood
44
Source: “Generic Risk Model with Key Risk Factors,” National Institute of Standards and Technology (NIST), Special Publication 800-30, Revision 1, Guide for
Conducting Risk Assessments, USA, September 2012
Framing Risk Management
45
A risk scenario is a description of a possible event whose occurrence will have an
uncertain impact on the achievement of the enterprise’s objectives, which may be
positive or negative.
Risk Scenario
46
Influencing Risk Factors
47
Cybersecurity can be more difficult to control when third parties are involved,
because different entities have different security cultures and risk tolerances.
Outsourcing and mergers and acquisitions can introduce security challenges
These arrangements can present risk that may be difficult to quantify and
potentially difficult to mitigate
Security strategy should consider all third-party arrangements with care to ensure
alignment with internal cybersecurity standards.
Third-party Risk
48
Topic 2:Common Attack Types and Vectors
Source: Marinos, Louis, A. Belmonte, E. Rekleitis, “ENISA Threat Landscape 2015,” ENISA, January 2016, Greece
Common Threat Agents
50
An attack is an activity by a threat agent (or adversary) against an asset.
There are two attack vectors: ingress and egress.
• Ingress attacks focus on intrusion or hacking into systems.
• Egress attacks are designed to remove data from systems and networks.
It is important to consider both attack vectors.
Attack Attributes
51
Threat Process
52
Some threat events are not the result of adversarial activity.
Common non-adversarial threat events include:
• Mishandling of critical or sensitive information by authorized users
• Incorrect privilege settings
• Fire, flood, hurricane, windstorm or earthquake at primary or backup facilities
• Introduction of vulnerabilities into software products
• Pervasive disk errors or other problems caused by aging equipment
Non-adversarial Threat Events
53
Virus
Worm
Trojan horse
Botnet
Spyware
Adware
Ransomware
Keylogger
Rootkit
APT
Backdoor
Brute force
XSS
DoS
Man-in-the-middle
Phishing
Spoofing
SQL injection
Zero-day exploit
Malware and Attack Types
54
Buffer overflow
Social engineering
?
Kaptoxa it was an example of what type of
attack?
A. SQL Injection
B. APT
C. Malware
D. Buffer overflow
E. DoS
Cyber Question
55
Topic 3:Policies and Procedures
Information security policies are a primary element of cybersecurity and overall
security governance. These policies:
• Specify requirements
• Define the roles and responsibilities within the organization
• Outline expected behaviors in various situations
Because of their importance, these policies must be properly created, accepted
and validated by the board and senior management before being communicated
throughout the organization.
Information Security Policies
57
Create
Review
Update
Approve
Each information security policy should be part of a formal policy life cycle
process.
Policy Life Cycle
58
Annual cycle
Compliance Document Types
59
Type Description
PoliciesCommunicate required and prohibited activities and
behaviors
Standards Interpret policies in specific situations
ProceduresProvide details on how to comply with policies and
standards
Guidelines
Provide general guidance on issues such as “what to do in
particular circumstances.” These are not requirements to
be met, but are strongly recommended.
COBIT 5 Information Security Policy Set
60
Access Control Policy
Personnel Information
Security Policy
Security Incident Response Policy
Types of Security Policies
61
The access control policy provides proper access to internal and external
stakeholders to accomplish business goals.
It should ensure that emergency access is appropriately permitted and revoked in
a timely manner.
The policy is meant for all business units, vendors and third parties, and should
cover at least the following topics:
• Physical and logical access provisioning life cycle
• Least privilege/need to know
• Segregation of duties
• Emergency access
Access Control Policy
62
The personnel information security policy objective incorporates, but is not limited
to, the following actions:
• Regular background checks of all employees and people at key positions
• Acquisition of information about key personnel in information security positions
• Development of a succession plan for all key information security positions
• Definition and implementation of appropriate procedures for termination, including
procedures for revoking account privileges and access
Personnel Information Security Policy
63
This policy addresses the need to respond to cybersecurity incidents in a timely
manner in order to recover business activities. The policy should include:
• Information security incident definitions
• Statement of how incidents will be handled
• Requirements for the establishment of the incident response team, with organizational
roles and responsibilities
• Requirements for the creation of a tested incident response plan
Security Incident Response Policy
64
?
MyDoom is an example of what type of attack?
A. Virus
B. Trojan horse
C. APT
D. Phishing
E. Social engineering
Cyber Question
65
Topic 4:Cybersecurity Controls
Identity Management
Provisioning and Deprovisioning
Authorization and Access Restrictions
Access Control Lists
Access Lists
Change Management
Privileged User Management
Configuration Management
Patch Management
Controls
67
Identity management includes many components, such as:
• Directory services
• Authentication services
• Authorization services
• User-management capabilities
Identity Management
68
User-management requires the provisioning and deprovisioning of passwords and
access control rights.
Provisioning occurs when a new user is created either through hiring or based on
shifting job requirements.
Deprovisioning occurs when a user leaves the organization.
This can be complicated, as users may need access to a variety of resources,
each of which has its own unique access controls.
Provisioning and Deprovisioning
69
The authorization process used for access control requires that the system be
able to identify and differentiate among users.
Access should be granted on a least privilege basis and can be set at various
levels, including:
• Read, inquire or copy only
• Write, create, update or delete only
• Execute only
• A combination of the above
Authorization and Access Restrictions
70
To provide security authorizations for files and facilities, logical access control
mechanisms use access authorization tables, referred to as access control lists
(ACL) or access control tables.
ACLs refer to a register of:
• Users (including groups, machines, processes) who have permission to use a
particular system resource
• The types of access permitted
• ACLs vary in their capability and flexibility, and care is required to ensure that user
access is appropriate for their current role.
Access Control Lists
71
Access lists filter traffic at network interfaces based on specified criteria, providing
basic network security.
When access lists are not present, network devices pass all packets.
After an access list is created and applied to an interface, it passes only traffic
permitted by rules.
Understanding the placement and impact of an access list is essential for the
cybersecurity practitioner as errors may stop network traffic.
Access Lists
72
Change Management
73
People
ProcessesTools
Assess
Design
Implement
Manage Change
Evaluate
Common controls for privileged user management include:
Privileged User Management
74
Background checks for
elevated access
Additional activity logging
Use of stronger passwords
Regular review and/or removal
of privileges
Configuration management focuses on maintaining the security of IT resources.
The security benefits of implementing a configuration management process
include:
• Verification of the impact on related items
• Assessment of risk related to a proposed change
• Ability to inspect different lines of defense for potential weaknesses
• Tracking of configuration items against approved secure baselines
• Insights into investigations after a security breach or operations disruption
• Version control and production authorization of hardware and software components
Configuration Management
75
Software patches are solutions to programming errors, some of which may introduce security
vulnerabilities.
Software vendors release regular software updates and patches as vulnerabilities are identified
and repaired.
As such, patching is an important part of vulnerability management.
Organizations must set up processes to identify patches that are relevant to their IT infrastructure.
Once a necessary patch is identified, it should be tested to ensure it does not negatively impact
operations.
After this verification, patching can be scheduled and the update installed where appropriate.
Patch Management
76
Section 2:Cybersecurity ConceptsReview Question
?
Which is a description of a possible event
whose occurrence will have an uncertain impact
on the achievement of the enterprise’s
objectives, which may be positive or negative.
A. Malicious
B. Risk Scenario
C. Advanced persistent threat
D. Brute force attack
Review Question
78
?
Patches are solutions to software programming
and coding errors.
A. True
B. False
Review Question
79
?
Access should be granted on a least privilege
basis and can be set at various levels, including
which of the following?
A. Read, inquire or copy only
B. Write, create, update or delete only
C. Execute only
D. A combination of the above
E. All the above
Review Question
80
?
Background checks for elevated access.
Additional activity login, the use of stronger
passwords, and regular review and/or removal
of privileges, best describes which of the
following.
A. Patch Management
B. Privileged User Management
C. Access Controls
D. Configuration Management
Review Question
81
You should now be able to:
• Define risk management terms, concepts and
frameworks.
• Identify common attack types and vectors.
• Define the framework and guidance for
policies and procedures.
• Identify cybersecurity control processes.
Section Summary
82
83
Section 3:Security Architecture
1. Overview of security architecture
2. The OSI model
3. Defense in depth
4. Information flow control
5. Isolation and segmentation
6. Logging, monitoring and detection
7. Encryption fundamentals, techniques and
applications
Topics Covered in This Section
84
Upon completing this section you will be able to:
• Identify the various types of cybersecurity
architecture.
• Define the OSI Model.
• Explain how various defense strategies work
to control flow, segment the network and log,
monitor and detect attacks.
• Outline encryption fundamentals, techniques
and applications.
Section Objectives
85
Topic 1:Overview of Security Architecture
Security architecture describes the structure, components, connections and layout
of security controls within an organization’s IT infrastructure.
An organization’s security architectures determine the particulars of various
subsystems, products and applications.
These particulars will, in turn, influence an organization’s approach to defense in
depth, or the practice of layering defenses to provide added protection.
Security architecture shows:
• How defense in depth is implemented
• How layers of control are linked
Security Architecture
87
• Focus on placing controls at the network and system levels
• Protect information stored within the perimeter of the network or system
System- or network-centric models
• Focuses on protecting data regardless of where it is stored
• Allows for application of controls without a clearly defined border
Data-centric model
Models of Cybersecurity
88
Many current security controls and architectures were developed with the concept
of a perimeter.
This perimeter is a well-defined, mostly virtual boundary between the organization
and the outside world.
With the advent of the Internet, outsourcing, mobile devices, cloud and other
hosted services, the security perimeter has expanded.
This means significant new risk and vulnerabilities are present in the environment.
The Security Perimeter
89
The Internet perimeter is an important component of the security perimeter.
This ensures secure access to the Internet for enterprise employees and guest
users, both in face-to-face and remote locations.
The Internet Perimeter
90
To provide security of email, front-end mobile and web apps, and domain name
system (DNS), the Internet perimeter should:
• Route traffic between the enterprise and the Internet
• Prevent executable files from being transferred through email attachments or web
browsing
• Monitor internal and external network ports for rogue activity
• Detect and block traffic from infected internal end point
• Control user traffic bound toward the Internet
• Identify and block anomalous traffic and malicious packets recognized as potential
attacks
• Eliminate threats such as email spam, viruses and worms
• Enforce filtering policies to block access to web sites containing malware or
questionable content
Internet Perimeter Functions
91
The perimeter should also provide protection for virtual private networks (VPNs),
wide area networks (WANs) and wireless local area networks (WLANs).
For VPNs, the protection must:
• Terminate encrypted VPN traffic initiated by remote users
• Provide a hub for terminating encrypted VPN traffic from remote sites, organizations
• Provide a hub for terminating traditional dial-in users
Network Security
92
Modern IT architectures are usually decentralized and deperimeterized,
increasing security risk across several fronts, including:
• Cloud-based platforms and services
• Smart and mobile devices
• Third-party products and services
• Weak and unsecured parts of the IT architecture
This interdependent environment means control has been reduced—a change
with important impacts on security architecture.
Interdependencies
93
Models of security architecture typically fall into two categories, as follows:
Models of Security Architecture
94
Process Model
• More directive in its approach
• Describes elements in terms of the processes used for them
Framework Model
• Allows flexibility in how each element of the architecture is developed
• Describes these elements, and how they relate to one another
The Zachman framework, shared by the Sherwood Applied Business Security
Architecture (SABSA), is one approach to security architecture.
This framework develops a who, what, where, when and how matrix that:
• Shows aspects of the enterprise that can be described or modeled
• Analyzes these from various viewpoints
Zachman and SABSA Framework
95
?
Stuxnet is a computer worm used to target?
A. SCADA systems
B. Government and financial institutions
C. Cloud data centers
D. Mobile devices
Cyber Question
96
Topic 2:The OSI Model
The OSI model defines groups of functionality required for network computers into
layers, described as follows:
1. Physical layer—Manages signals among network systems
2. Data link layer—Divides data into frames that can be transmitted by the physical layer
3. Network layer—Translates network addresses and routes data from sender to
receiver
4. Transport layer—Ensures that data are transferred reliably in the correct sequence
5. Session layer—Coordinates and manages user connections
6. Presentation layer—Formats, encrypts and compresses data
7. Application layer—Mediates between software applications and other layers of
network services
The Open Systems Interconnection (OSI) Model
98
The TCP/IP suite is used as the de facto standard for the Internet. This protocol:
• Includes both network-oriented protocols and application support protocols
• Operates at Layer 3 and Layer 4 of the OSI model
• Currently, there are two versions of IP that operate at Layer 3:o IPv4—The fourth revision of IP and the most commonly used to connect devices to the Internet
o IPv6—The newest version of IP, designed to allow for Internet growth
TCP/IP Protocol Suite
99
Topic 3:Defense in Depth
The layering of defenses is known as defense in depth, protection in depth or
security in depth.
Multiple control layers provide:
• Multiple opportunities for monitoring to detect the attack
• Additional controls the attacker must overcome, which creates a delay that may be
interrupt or prevent the attack
• It is often important to use several controls to protect an asset and the number and
types of layers needed is a function of such things as:
• Asset value and criticality
• The reliability of each control
• The degree of exposure
Defense in Depth
101
Defense in depth may also be viewed in terms of architecture:
• HORIZONTAL DEFENSE IN DEPTHo Controls are placed in various places in the path of access for an asset
• VERTICAL DEFENSE IN DEPTHo Controls are placed at different system layers
o These layers include hardware, operating system, application, database or user levels
An Architectural Perspective
102
When developing defense-in-depth implementations, consider the following
questions:
• What vulnerabilities are addressed by each layer or control?
• How does each layer mitigate the vulnerability?
• How does each control interact with or depend on the other controls?
Defense in Depth Implementations
103
Topic 4:Information Flow Control
A firewall is a system or combination of systems that enforces a boundary
between two or more networks.
Typically forms a barrier between a secure and an open environment such as the
Internet, apply rules to control the type of networking traffic flowing in and out.
Most commercial firewalls are built to handle commonly used Internet protocols.
Firewalls
105
• Packet Filters
• Stateful Inspection
• Application Proxy
• Next Generation Firewall
Firewall Technologies
106
A web application firewall (WAF) is a server plug-in, appliance or additional filter
that can be used to apply rules to a specific web application (usually to an HTTP
conversation).
The WAF operates at higher levels in the OSI model, generally at level 7.
In contrast, network firewalls operate at level 3 or level 4.
A WAF may be customized to identify and block many types of attacks, but
customization requires effort.
When changes to the application are made, the WAF rules need changes as well.
Web Application Firewalls (WAF)
107
Topic 5:Isolation and Segmentation
A common technique for implementing network security is to segment an
organization’s network.
Each segment may then be separately controlled, monitored and protected.
Virtual local area networks (VLANs) are groups of devices on one or more
logically segmented LAN. VLAN configuration usually has these features:
• No additional encryption
• Set up by configuring ports on a switch
• Set up based on logical rather than physical connections
Isolation and Segmentation
109
Separate zones allows the application of controls at a more granular level,
supporting defense in depth.
Isolation and Segmentation
110
Topic 6:Logging, Monitoring and Detection
Monitoring, detection and logging are integral parts of cybersecurity.
Attacks and data loss represent potential issues on both sides, so it is necessary
to monitor data and information flowing into and out of an organization.
A number of methods and tools can be used to detect and log potential problems.
Most of these methods revolve around the central concepts of ingress, egress
and data loss prevention.
Integral Components of Cybersecurity
112
A log is a record of events that occur within the systems and networks of an organization.
• One of the most valuable tools to monitor controls and detect risk, but often underutilized.
A log should contain a record of all important events that occur on a system, such as:
• Time of the event
• Changes to permissions
• System startup or shutdown
• Login or logout
• Changes to data
• Errors or violations
• Job failures
A failure to review the logs can result in the organization not being aware of an ongoing attack.
Logging
113
The use of a variety of security tools and platforms can create a high volume of
incoming security-related data, which must be analyzed and interpreted in order
to be useful.
Security event management (SEM) systems aid in reducing the resulting
overload.
The SEM automatically aggregates and correlates security event log data across
multiple security devices.
Security information and event management (SIEM) systems combine SEM
capabilities with the historical analysis and reporting features of security
information management (SIM) systems.
SEM and SIEM Systems
114
There are two types of attack vectors: ingress and egress.
Ingress and Egress
115
Internet
Traffic Flow
EgressIngress
Strong Data Loss Prevention (DLP) solutions cover three primary states of
information:
• Data at rest refers to stored data. DLP solutions must be able to log where various file
types are stored.
• Data in transit refers to data traveling through the network. Deep packet inspection
(DPI) is used to analyze the data for sensitive content.
• Data in use refers to data movement at the user workstation level. This includes
information sent to printers, thumb drives and the copy-and-paste clipboard.
Data Loss Prevention Software
116
?
NASA was hacked in 1999 using what method?
A. SQL Injection
B. APT
C. Back door
D. Buffer overflow
E. DoS
Cyber Question
117
Malicious software is one of the most common attack vectors used by adversaries
to compromise systems.
Controls are required for its detection and prevention.
Virus and malware intrusions can be controlled through a variety of mechanisms.
These include:
• Restriction of outbound traffic
• Policies and awareness training
• Multiple layers of anti-malware software
Antivirus and Anti-malware
118
An intrusion detection system (IDS) complements a firewall implementation by
working in conjunction with routers and firewalls to monitor anomalies in network
usage.
An IDS operates continuously on the system.
It runs in the background and notifies administrators when a perceived threat is
detected.
Intrusion Detection Systems
119
• Identifies attacks within the monitored network and issues a warning to the operator
• Detects attack attempts
• Not a substitute for a firewall, but rather a complement
Network-based IDS
• Configured for a specific environment
• Monitors internal operating system resources to warn of attacks
• Can detect the modification of executable programs and deletion of files
• Issues a warning if a privileged command is attempted
Host-based IDS
IDS Categories
120
An intrusion prevention system (IPS) is similar to IDS, but detects attacks and
prevents damage to the intended victim/host.
An IPS is active; in contrast, an IDS is passive.
The presence of an IPS:
• Limits damage or disruption to systems that are attacked
• Must be properly configured to be effective
Intrusion Prevention Systems
121
Topic 7:Encryption Fundamentals, Techniques and Applications
Encryption is the process of converting a plaintext message into a secure-coded
form of text called ciphertext.
A ciphertext cannot be understood without being converted back to plaintext.
The decryption process is the reverse of encryption.
It is done via a mathematical function and a special encryption/decryption
password called the key.
Encryption
123
Key elements of cryptographic systems include:
• Encryption algorithm – A mathematically-based function or calculation that encrypts or
decrypts data
• Encryption key – A piece of information similar to a password that makes the
encryption or decryption process unique
Key length – A predetermined length for the key
• The longer the key, the more difficult it is to compromise
Key Elements of Cryptographic Systems
124
• Use single, secret bidirectional keys that encrypt and decrypt
• Include DES, AES and Triple DES/DES3
Symmetric Key Systems
• Use pairs of unidirectional, complementary keys that only encrypt or decrypt
• One key is secret; the other is publicly known
• Include RSA, ECC
Asymmetric Key Systems
Types of Cryptographic Systems
125
Symmetric Cryptography
126
Symmetric Cryptography Advantages and Disadvantages
127
Advantages
• One key is used for both encryption and decryption
• Less complicated and use less processing power than asymmetric techniques
• Ideally suited for bulk data encryption
Disadvantages
• Difficult to distribute keys, particularly in e-commerce environments where customers are unknown, untrusted entities
• Carry the limitations of shared secret; for example, a symmetric key cannot be used to sign electronic documents
In asymmetric encryption process, two keys work together as a pair.
One key is used to encrypt data; the other is used to decrypt data.
Either key can be used to encrypt or decrypt, but once the key has been used to
encrypt data, only its partner can be used to decrypt the data.
This process solves the problem of delivering single symmetric keys to two people
who do not know each other but who want to exchange information securely.
Asymmetric Key Encryption
128
With asymmetric encryption, one key—the secret or private key—is known only to
one person.
The other key—the public key—is known by many people.
A message that has been sent encrypted by the secret (private) key of the sender
can be deciphered by anyone with the corresponding public key.
This forms the basis of authentication and non-repudiation because the sender
cannot later claim that he or she did not generate the message.
If the public key deciphers the message satisfactorily, one can be sure of the
origin of the message because only the sender (owner of the correspondent
private key) could have encrypted the message.
Authentication and Non-repudiation
129
A message that has been sent encrypted using the public key of the receiver may
be generated by anyone, but it can only be read by the receiver.
This is one basis of confidentiality.
In theory, a message that has been encrypted twice, first by the sender’s secret
key, and second by the receiver’s public key, achieves both authentication and
confidentiality objectives.
This is not commonly used because it could generate performance issues due to
being computationally-intensive and slower than symmetric algorithm solutions.
Authentication and Confidentiality
130
Asymmetric Algorithms for Symmetric Cryptography
131
A digital signature is an electronic identification of a person or entity created by using a public key
algorithm. This cryptographic method ensures:
• Data integrity—Any change to the plaintext message would result in the recipient failing to
compute the same message hash.
• Authentication—The recipient can ensure that the message has been sent by the claimed
sender since only the claimed sender has the secret key.
• Non-repudiation—The claimed sender cannot later deny generating and sending the message.
• A cryptographic hashing algorithm, called a checksum, is computed against the entire message
or electronic document, generating a small fixed-string message.
• This process creates a message digest, which is a smaller extrapolated version of the original
message.
• Common types of message digest algorithms are SHA-256 and SHA-512.
• These are one-way functions, and the process of creating message digests cannot be reversed.
Digital Signature
132
The next step verifies the identity of the sender by encrypting the message digest
using the sender’s private key.
The document is then “signed” with the sender’s digital signature for message
authenticity.
To decipher, the receiver would use the sender’s public key, proving that the
message could only have come from the sender.
The sender cannot later claim that they did not generate the message.
Once decrypted, the receiver will compute the hash again, using the same
hashing algorithm on the electronic document.
Comparing the results with what was sent ensures the integrity of the message.
Message Integrity
133
?
Password cracking it was an example of what
type of attack?
A. SQL Injection
B. Worm
C. Malware
D. Brute force attack
E. DoS
Cyber Question
134
The use of cryptosystems by applications, for example in email and Internet
transactions, generally involves a combination of private/public key pairs, secret
keys, hash functions and digital certificates.
The purpose of applying these combinations is to achieve confidentiality,
message integrity or non-repudiation by either the sender or recipient.
The process generally involves the sender hashing the message into a message
digest or pre-hash code for message integrity, which is encrypted using the
sender’s private key for authenticity, integrity and non-repudiation.
Applications of Cryptographic Systems
135
Digital Certificates
Registration Authority (RA)
Certificate Authority (CA)
ELEMENTS OF PKI
Public key infrastructure (PKI) allows a trusted third party to issue, maintain and
revoke public key certificates.
Public Key Infrastructure
136
A digital certificate is composed
of a public key and identifying
information about the owner of
the public key.
An RA is an authority in a
network that verifies user
requests for a digital
certificate and tells the CA to
issue it.
The CA is an authority in a
network that issues and
manages security
credentials and public keys
for message signature
verification or encryption.
PROTOCOL LAYER FUNCTION
HTTPS Application layer • Transmits messages securely by establishing an TLS-type
connection
• Directs messages to secure port numbers instead of default
web port address
IPSec Network layer • Establishes VPNs via transport and tunnel mode encryption
methods
• Establishes security associations to define security
parameters between communicating parties
SSH Application layer • A client-server program that opens a secure, encrypted
command-line shell session for remote logon
• Validates both parties’ credentials via digital certificates
S/MIME • A standard secure email protocol
• Authenticates identity of sender and receiver to ensure
privacy of message contents (including attachments)
SET Application layer • Secures payment transactions using third parties and digital
signatures
• As an open system specification, requires a PKI infrastructure
Other Protocols
137
Encryption is an effective and increasingly practical way to restrict access to
confidential information while in storage.
Encryption can protect data from hackers who, by means of malicious software,
obtain systems administration rights.
It also helps to protect data when a computer or a disk falls into the wrong hands.
Many email encryption programs can also be applied to stored data.
Encryption of Stored Data
138
The security of encryption methods relies mainly on the secrecy of keys.
In general, the more a key is used, the more vulnerable it will be to compromise.
The randomness of key generation is also a significant factor in the ability to
compromise a key.
When passwords are tied into key generation, the strength of the encryption
algorithm is diminished, particularly when common words are used.
It is essential that effective password syntax rules are applied and easily guessed
passwords are prohibited.
Encryption Risk and Key Protection
139
Section 3: Security ArchitectureReview Question
?
A web-server building block where it is exactly
specified how a web server should be deployed
and what process is and is not allowed within
that block is an example of which of the
following?
A. Process Model
B. Framework Model
Review Question
141
?
This layer of the OSI model manages signals
among network systems.
A. Physical layer
B. Data link layer
C. Network layer
D. Transport layer
E. Session layer
F. Presentation layer
G. Application layer
Review Question
142
?
The number of layers needed for defense in
depth are a function of which of the following?
A. Asset value, criticality, reliability of each control,
and degree of exposure.
B. Threat agents, governance, compliance and
mobile defense policy.
C. Network configuration, navigation controls, user
interface and VPN traffic.
D. Isolation, segmentation, internal controls and
external controls.
Review Question
143
?
Which of the following is (are) true about
VLANs?
A. Made up of groups of devices on one or more
logically segmented LAN.
B. No additional encryption
C. Set up by configuring ports on a switch
D. Set up based on logical rather than physical
connections
E. All the above
Review Question
144
?
Which of the following is (are) true about
encryption?
A. The more a key is used, the more vulnerable it will be
to compromise.
B. The randomness of key generation is also a
significant factor in the ability to compromise a key.
C. When passwords are tied into key generation, the
strength of the encryption algorithm is diminished,
particularly when common words are used.
D. It is essential that effective password syntax rules are
applied and easily guessed passwords are prohibited.
E. All the above
Review Question
145
You should now be able to:
• Identify the various types of cybersecurity
architecture.
• Define the OSI Model.
• Explain how various defense strategies work
to control flow, segment the network and log,
monitor and detect attacks.
• Outline encryption fundamentals, techniques
and applications.
Section Summary
146
Email ScenarioGroup Activity
Tricia who works for ACME Corp is
checking her email at work. While
checking her email she opens this from
a known sender.
She opens the attachment from the
cloud because it is a known and trusted
sender. Soon others in her department
are receiving an email from her
containing the same information.
Scenario
148
Eva
Eva
Eva
What type of attack did Tricia encounter?
Why doesn’t the email get marked as spam?
How can this type of attack be controlled?
Discussion
149
Section 4:Security of Networks, Systems, Applications and Data
1. Process controls, including:
• Risk assessments
• Vulnerability management
• Penetration testing
2. Network security
3. Operating system security
4. Application security
5. Data security
Topics Covered in this Section
151
Upon completing this section you will be able to:
• Determine, assess and respond to risk and
vulnerabilities on the network through
penetration testing.
• Identify key aspects and associated risks to
securing data, applications, operation
systems and the network.
Section Objectives
152
Topic 1:Process Controls – Risk Assessment
Risk assessment is a process used
to identify and evaluate risk and its
potential effects. It involves three
inputs:
• Asset assessment
• Threat assessment
• Vulnerability assessment
Risk Assessment
154Source: Encurve, LLC, Risk Management Concepts Presentation, 2013
Risk
Assets
Criticality
Value
Threats
Adversary
Characteristics
Likelihood
ImpactAttacks &
Exploits
Existing
Controls
Access
Vulnerability
Source: ISACA, COBIT 5 for Risk, 2013
Risk Management
155
ORIENTATION DESCRIPTION
Asset Important assets are defined first, and then potential threats
to those assets are analyzed. Vulnerabilities are identified
that may be exploited to access the asset.
Threat Potential threats are determined first, and then threat
scenarios are developed. Based on the scenarios,
vulnerabilities and assets of interest to the adversary are
determined in relation to the threat.
Vulnerability Vulnerabilities and deficiencies are identified first, then the
exposed assets and potential threat events are determined.
Risk Assessment Orientations
156
Choosing the exact method of analysis, including qualitative or quantitative
approaches, and determining the analysis orientation, takes considerable
planning and knowledge of specific risk assessment methodologies.
To be successful, the risk assessment process should:
• Fit the goals of the organization
• Adequately address the environment being assessed
• Use assessment methodologies that fit collected data
• It is important to remember that risk assessment is an ongoing process.
Risk Assessment Success Criteria
157
• Implementation of controls or countermeasures to reduce likelihood or impact of risk to acceptable levels
Risk Reduction
• Avoid risk by not participating in an activity or business
Risk Avoidance
• Transfer risk to third party (e.g., insurance) or share with a third party via contractual agreement
Risk Transfer or Sharing
• Assume the risk and absorb losses if risk is within tolerance or the cost of mitigation exceeds potential loss
Risk Acceptance
Risk Response Strategies
158
Risk assessment results are used for a variety of security management functions.
They should be evaluated in terms of the organization’s mission, risk tolerance,
budgets and other resources, and cost of mitigation.
• Based on this evaluation, a mitigation strategy can be chosen for each risk and
appropriate controls and countermeasures can be designed and implemented.
Results can be used to communicate the risk decisions and expectations of
management throughout the organization through policies and procedures.
They can also be used to identify areas in which incident response capabilities
need to be developed.
Using the Results of the Risk Assessment
159
Topic 2:Process Controls—Vulnerability Management
Organizations must identify and assess vulnerabilities to determine the threat and
potential impact they present.
Vulnerability assessment aids in determining the best course of action in
addressing each vulnerability.
Vulnerabilities may be identified by information provided by software vendors
(e.g., through the release of patches and updates) and by utilizing tools that
identify vulnerabilities in the organization’s specific environment.
Vulnerability management starts by understanding the IT assets and where they
reside—both physically and logically.
Vulnerability management also includes tracking vulnerabilities and the
remediation efforts to mitigate them.
Vulnerability Management
161
Vulnerability scans should be conducted regularly.
Vulnerability scanning is the process of using proprietary or open source tools to
search for known vulnerabilities.
Often the same tools used by adversaries to identify vulnerabilities are used
proactively by organizations to locate vulnerabilities.
There are many forms of vulnerability assessment tools.
Tools should be researched and selected based on corporate needs and return
on investment.
Note that combinations of tools often provide greater insight to your networks
security posture.
Vulnerability Scans
162
TYPE CAUSE CYBERSECURITY EXAMPLES
Technical Errors in design,
implementation,
placement or
configuration
• Coding errors
• Inadequate passwords
• Open network ports
• Lack of monitoring
Process Errors in operation • Failure to monitor logs
• Failure to patch software
Organizational Errors in management,
decision-making, planning
or ignorance
• Lack of policies
• Lack of awareness
• Failure to implement controls
Emergent Interactions between, or
changes in, environments
• Cross-organizational failures
• Interoperability errors
• Implementing new technology
The simplest definition of a vulnerability is “an exploitable weakness that results in
a loss.”
Common Types of Vulnerabilities
163
Vulnerabilities must be analyzed in the context of how they are exploited.
The method used to take advantage of a vulnerability is called an exploit.
Both vulnerabilities and exploits need to be considered in vulnerability
assessments.
Once vulnerabilities are identified and assessed, appropriate remediation can
take place to mitigate or eliminate the vulnerability.
Remediation may be through a patch management process or require
reconfiguration of existing controls or addition of new controls.
Vulnerability Assessment
164
?
Password cracking it was an example of what
type of attack?
A. SQL Injection
B. Worm
C. Malware
D. Brute force attack
E. DoS
Cyber Question
165
Topic 3:Process Controls – Penetration Testing
Penetration testing uses common exploit methods to:
• Confirm exposures
• Ensure compliance
• Assess the effectiveness and quality of existing security controls
• Identify how specific vulnerabilities expose IT resources and assets
Penetration Testing
167
Before conducting a penetration test:
• Clearly define the scope of the test.
• Provide explicit, written permission authorizing testing.
• Implement “do no harm” procedures to ensure no assets are harmed (e.g., deletions,
denial-of-service).
• Have communication and escalation plans.
Testing Guidelines
168
Penetration testing should use a framework to deliver repeatability, consistency
and high quality in various kinds of security tests. These frameworks include:
• PCI Penetration Testing Guide—Provides a good introduction to testing tools
• Penetration Testing Execution Standard—Provides hands-on technical guidance on
penetration testing
• Penetration Testing Framework—Provides a comprehensive guide to penetration
testing and testing tools
• Information Systems Security Assessment Framework (ISSAF) —Provides
comprehensive penetration technical guidance
• Open Source Security Testing Methodology Manual (OSSTMM) —Provides a
methodology for testing operational security and can support ISO 27001
Penetration Testing Frameworks
169
Phases of a Penetration Test
170
Attack Phase
171
Topic 4:Network Security
Network management is the process of assessing, monitoring and maintaining
network devices and connections.
The recommended functions of network management include:
• Fault management—Detection, isolation, notification and correction of faults
encountered in the network
• Configuration management—Configuration file management, inventory management
and software management
• Accounting management—Usage information regarding network resources
• Performance management—Monitoring and measurement pf various aspects of
performance metrics so that acceptable performance can be maintained
• Security management—Provision of access to network devices and corporate
resources to authorized individuals
Network Management
173
A local area network (LAN) covers a small, local area—from a few devices in a
single room to a network across a few buildings.
As LANs get larger and traffic increases, the requirement to carefully plan the
logical configuration of the network becomes more important.
Tracking traffic volumes, error rates and response times is as important on larger
LANs as it is on distributed servers and mainframes.
Local Area Networks
174
Components commonly associated with LANs include:
• Repeaters—Physical layer devices that extend the range of a network or connect two
separate network segments together.
• Hubs—Physical layer devices that serve as the center of a star-topology network or a
network concentrator.
• Layer 2 switches—Layer 2 switches are data link-level devices that can divide and
interconnect network segments and help to reduce collision domains in Ethernet-based
networks.
• Routers—OSI network layer devices that link two or more physically separated and
independent network segments.
LAN Components
175
Layer 3 and 4 switches—These switches act at the network layer.
• A Layer 3 switch looks at an incoming packet’s networking protocol, and compares the
destination IP address to the list of addresses in its tables, actively calculating the best
way to send a packet to its destination. This creates a “virtual circuit.”
• A Layer 4 switch allows for policy-based switching. With this functionality, the switch
can off-load a server by balancing traffic across a cluster of servers, based on
individual session information and status.
Layer 4 – 7 switches—Also known as content-switches, content services
switches, web-switches or application-switches, these are typically used for load
balancing among groups of servers.
LAN Components (Cont’d)
176
Both local area and wide area networks are susceptible to people- and virus-related threats
because of the large number of individuals who have access rights.
Fortunately, newer versions of network software have significantly more control and administration
capabilities as software vendors have recognized the need to provide capabilities to identify the
cause network outages or dysfunction.
Network access control (NAC) aims to control the access to a network using policies describing
how devices can secure access to network nodes when they first try to access a network.
Some NAC features include:
• Integrating an automatic remediation process that fixes noncompliant nodes before access is
allowed
• Enabling network infrastructure to work with back office services and end-user computing to
ensure that the network is secure prior to allowing access
LAN and WAN Security
177
Loss of data through unauthorized
changes
Lack of current data protection through inability to maintain
version control
Exposure to external activity through
limited user verification
Virus and worm infection
Improper disclosure of data because of
general access
Violating software licenses
Illegal access by impersonating
legitimate users
Internal users sniffing
Internal users spoofing
Destruction of logging and auditing
data
Risk associated with the use of LANs includes:
LAN Risk
178
Commonly available network security administrative capabilities include:
• Declaring ownership of programs, files and storage
• Limiting access to a read-only basis
• Implementing record and file locking to prevent simultaneous update
• Enforcing user ID/password sign-on procedures, including rules relating to password
length, format and change frequency
• Using switches to implement port security policies
• Encrypting local traffic using IPSec (IP security) protocol
LAN Security Provisions
179
Wireless technologies use radio frequency transmissions or electromagnetic
signals through free space as the means for transmitting data.
Wireless technologies range from complex systems to simple devices and include
wireless local area networks (WLAN).
WLAN technologies conform to a variety of standards and offer varying levels of
security features.
The principal advantage of these standards is to encourage mass production and
allow products to interoperate across vendors.
The most useful standard used currently is the IEEE 802.11 standard.o 802.11 refers to a family of specifications for WLAN technology, defining an over-the-air interface
between a wireless client and a base station or between two wireless clients.
Wireless Technologies
180
Wireless data transmission is subject to a higher risk of interception than wired traffic.
There is no need to manually tap into the connection, but rather remote tools can be used to
intercept the connection covertly.
As a result, wireless transmission of confidential information should be protected with strong
encryption.
IEEE 802.11’s Wired Equivalent Privacy (WEP) encryption uses symmetric, private keys.
The end user’s radio-based network interface controller (NIC) and access point must have the
same key.
Most often, these keys remain unchanged on networks for extended times.
With static keys, several hacking tools easily break through the relatively weak WEP encryption
mechanisms.
Wireless Network Protections
181
?
Which of the following is good advice to prevent
socially engineered attacks?
A. Do not open any emails from untrusted sources
B. Install anti-virus software
C. Lock your laptop
D. All the above
Cyber Question
182
The most commonly used method for wireless local area networks is 802.11i
(WPA2) and Wi-Fi Protected Access (WPA).
These use dynamic keys and can use an authentication server with credentials to
increase protection against hackers.
WPA and WPA2 (preferred) are applicable to most wireless networks and
commonly used in networks that involve PCs.
Messages transmitted using portable wireless devices should also be protected
with encryption and, where possible, VPN methods can be used to provide
additional security.
Evolving Wireless Security Standards
183
When using the Internet communications protocol, Transmission Control Protocol/Internet Protocol
(TCP/IP), designating a port is the way a client program specifies a particular server program on a
computer in a network.
A port number is a way to identify the specific process to which an Internet or other network
message is to be forwarded when it arrives at a server.
These are assigned by the Internet Assigned Numbers Authority (IANA).
Allowable port numbers range from 0 to 65535. These are divided into three ranges, as follows:
• The well-known ports—0 through 1023: These can be used only by system (or root) processes
or by programs executed by privileged users.
• The registered ports—1024 through 49151: Can be used by ordinary user processes or
programs executed by ordinary users.
• The dynamic and/or private ports—49152 through 65535: Not listed by IANA because of their
dynamic nature.
Ports and Protocols
184
PORT # SERVICE PROTOCOL
110 POP3 (post office
protocol)
TCP
111/
2049
SunRPC (remote
procedure calls)
TCP/UDP
135-139 NBT (Net BIOS over
TCP/IP)
TCP/UDP
161, 162 SNMP (simple network
management protocol)
UDP
512 Exec UDP
513 Login TCP
514 Shell TCP/UDP
6000-xxx X-Windows TCP
8000 HTTP TCP/UDP
8080 HTTP TCP/UDP
31337 Back Orifice UDP
Commonly Exploited Ports and Services
185
PORT # SERVICE PROTOCOL
7 Echo TCP/UDP
19 chargen TCP
20-21 FTP (file transfer
protocol)
TCP
23 Telnet (remote login) TCP
25 SMTP (simple mail
transfer)
TCP
43 Whois TCP/UDP
53 DNS (domain name
system)
TCP
69 TFTP (trivial file transfer
protocol)
UDP
79 Finger TCP
80 HTTP-low TCP
107 Rtelnet TCP/UDP
In tunneling, malicious insiders or outside hackers use the protocol as an
established pathway, or tunnel, directing the exchange of information for malicious
purposes.
Examples of types of tunneling include:
• ICMP tunneling—Used to bypass firewalls rules through obfuscation of the actual
traffic.
• HTTP tunneling—A technique by which communications performed using various
network protocols are encapsulated using the HTTP protocol.
Tunneling
186
Tunneling transports higher-layer data over a VPN by Layer 2 protocols.
Common types of tunneling include:
• Point-to-point tunneling protocol (PPTP)—A Layer 2 protocol developed by Microsoft
that encapsulates point-to-point protocol data. It is simple, but less secure than other
tunneling protocols.
• Layer 2 tunneling protocol (L2TP)—A protocol that encapsulates point-to-point protocol
data and is compatible among different manufacturers’ equipment.
• Secure Sockets Layer VPN—A form of Layer 3 VPN that can be used with a standard
Web browser and uses transport layer security (TLS) protocols to encrypt traffic.
• IPSec VPN—IPSec VPNs protect Layer 2 and 3 IP packets between remote networks
or hosts and an IPSec gateway/node located at the edge of a private network.
VPN Tunneling
187
Users often expect that all voice communications are confidential.
Any Voice Over Internet Protocol (VoIP) device is an IP device; therefore, it is
vulnerable to the same types of attacks.
VoIP networks have a number of characteristics that make for special security
requirements.
There is no scheduled downtime in telephony, and outages may result in massive,
widespread customer panic or outrage.
There can also be disclosure of confidential information, leading to adverse
effects.
Voice Over Internet Protocol
188
Remote access connectivity to their information resources is required for many
organizations for different types of users.
A variety of methods and procedures are available to satisfy an organization’s
need for access, but these can introduce risk.
For example, using VPNs to allow remote access to their systems can create
holes in an organization’s security infrastructure, and encrypted traffic can hide
unauthorized actions or malicious software that can be transmitted through such
channels.
• To reduce VPN access risks, architectural controls can be implemented to restrict
remote access traffic to selected security hardened and virus-protected systems,
remote access portals and non-sensitive network segments.
Remote Access
189
Denial-of-service (DoS)
Malicious third parties
Misconfigured communications
software
Misconfigured devices on computing
infrastructure
Host systems not secured
appropriately
Physical security issues
Remote access risk includes:
Remote Access Risk
190
Remote access controls include:
• Policy and standards
• Proper authorizations
• Identification and authentication mechanisms
• Encryption tools and techniques, such as use of a VPN
• Restriction of access to controlled systems, networks and applications
Remote Access Controls
191
Topic 5:Operating System Security
System hardening is the process of implementing security controls on a computer system.
Most computer vendors to set the default controls to be open, allowing ease of use over security.
Significant vulnerabilities may be present unless the system is hardened.
Common controls for system hardening include:
• Authentication and authorization
• File system permissions
• Access privileges
• Logging and system monitoring
• System services
System Hardening Controls
193
A user’s credentials define who they are and what permissions they have to
access resources within the system.
Passwords are the standard mechanism to authenticate a user to the system.
In another form of access limitation, privileges may be assigned to a particular
user.
To prevent misuse or compromise, these must be carefully chosen and controlled.
User access may be also limited through logon constraints regarding time of day,
logged-in duration, source address and number of unsuccessful logon attempts.
Credentials and Privileges
194
Hardening is a process that reduces vulnerability by limiting the attack vectors
that might be used as points of compromise. A hardened system:
• Does not store sensitive data not immediately needed to support a business operation.
• Has all unnecessary functionality disabled, including ports, services and protocols that
are not required for the intended use.
• Uses only passwords and accounts that have been changed or disabled. No default
passwords or guest accounts are present.
Platform Hardening
195
ADVANTAGES DISADVANTAGES
Server hardware costs may decrease for server builds
and maintenance.
Inadequate configuration of the host could create
vulnerabilities that affect hosts and guests.
Multiple OSs can share processing capacity and
storage space, reducing operating costs.
Exploits of vulnerabilities or a denial of service attack
could affect all of the hosts guests.
The physical footprint of servers may decrease within
the data center.
A compromise of the management console could grant
guests unapproved administrative access.
A single host can have multiple versions of the same
OS, or even different OSs.
Data could leak between guests if memory is not
released and allocated properly by the host.
Creation of duplicate copies of guests in alternate
locations can support business continuity efforts.
Insecure remote access protocols could result in
exposure of administrative credentials.
A single machine can house a multitier network in an
educational lab environment.
Performance issues of the host’s own OS could
impact each of the host’s guests.
Virtualization provides an enterprise with a significant opportunity to increase
efficiency and decrease costs in its IT operations.
Virtualization
196
In a virtualized environment, the host represents a potential single point of failure
within the system.
A successful attack on the host could result in a compromise that is larger in both
scope and impact.
To address this risk, an enterprise can often implement and adapt the same
principles and best practices for a virtualized server environment that it would use
for a server farm. These include:
• Strong physical and logical access controls
• Sound configuration management practices and system hardening for the host
• Appropriate network segregation
• Strong change management practices
Virtualization Risk
197
Some computer systems and applications are very specialized and may have
unique threats and risk and require different types of controls.
Examples of specialized systems include supervisory control and data acquisition
(SCADA) systems or other real-time monitoring or control systems.
These operate in specialized environments controlling critical industrial and
manufacturing processes, power generation, air traffic control systems, and
emergency communications and defense systems.
Security was not considered in many existing deployments of SCADA systems,
and risk and threat assessment and appropriate mitigation is required.
Specialized Systems
198
?
WannaCry is an example of what type of
attack?
A. Trojan horse
B. APT
C. Ransomware
D. Phishing
E. Social engineering
Cyber Question
199
Topic 6: Application Security
The SDLC process guides the phases
of developing or acquiring a software
system. It includes:
• IT processes for managing and
controlling project activity
• An objective for each phase of the life
cycle, typically described with key
deliverables, a description of
recommended tasks and a summary of
related control objectives for effective
management
• Incremental steps or deliverables that lay
the foundation for the next phase
System Development Life Cycle (SDLC)
201
Not considering the security in the design of a system or application is a major
contributing factor to cybersecurity vulnerabilities.
Security is often an afterthought, with controls retrofitted only after security
weaknesses have been exposed.
Security and risk mitigation should be formal design criteria in any SDLC process,
including:
• Threat and risk assessment of the proposed system
• Identification and implementation of controls
• Vulnerability testing and review
Security Within SDLC
202
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known
Vulnerabilities
Insufficient Logging & Monitoring
OWASP Top Ten Application Security Risks, 2017
203
The testing phase of SDLC includes:
• Verification and validation that programs, applications and controls perform the
functions for which they have been designed.
• Confirmation that the tested units operate without malfunction or adverse effect on
other components of the system.
• Vulnerability and control testing, taken from a security perspective.
• The review phase of SDLC includes:o Code review processes varying from informal processes to formal walk-throughs
o Team review or code inspections
Note that security should be an integrated part of any review process.
SDLC Testing and Review Phases
204
Separate development, testing and production environments should be used
during SDLC to minimize a compromise or misconfiguration being introduced or
cascading through the process.
Different access controls (credentials) should be used between these different
environments.
Note that if production data are used in the test environment, private or personally
identifiable information should be scrambled so that confidential information is not
inadvertently disclosed.
Development and Testing Environments
205
Agile allows software development projects to be built in a more flexible, iterative
fashion.
This allows a quicker response to changes that occur during a project.
It also facilitates security testing at earlier stages in the development process.
Development and IT Operations (DevOps) combines the concepts of agile
development, agile infrastructure and flexible operations.
DevOps breaks large projects into smaller and more manageable deliverables
and multiple deployments.
These smaller deployments may be more easily debugged during the
development process.
Agile and DevOps Development Approaches
206
Cybersecurity practitioners must be aware of a variety of security threats. In
addition to those already discussed, be aware of the following threats:
• Covert channel—Transfers information between systems illicitly, using existing
infrastructure
• Race condition—Accesses networks on an unauthorized basis, using operations
processing vulnerabilities
• Return-oriented programming attack—Exploits memory corruption vulnerabilities
• Steganography—Conceals messages, images or files within another similar file
Additional Threats
207
WAP protocols bring Internet content to wireless mobile devices.
WAP supports most wireless networks and is supported by all operating systems
specifically engineered for handheld devices and some mobile phones.
These devices use displays and access the Internet through micro-browsers.
Micro-browsers have small file sizes that can accommodate the low-memory
constraints of handheld devices and the low-bandwidth constraints of a wireless
handheld network.
Wireless Application Protocol (WAP)
208
Topic 7:Data Security
Data Classification Process
210
When classifying data, the following requirements should be met:
• Access and authentication
• Privacy
• Availability
• Ownership and distribution
• Integrity
• Data retention
• Auditability
• After data classification has been assigned, security controls can be established,
including encryption, authentication and logging.
• Security measures should increase as the level of data sensitivity or criticality
increases.
Data Classification Requirements
211
It is important for an organization to understand the sensitivity of the information it possesses.
Data should be classified based on its sensitivity and the impact of unintended release or loss.
Data classification should be defined in a policy that provides definition of different classes of
information and their handling and protection.
Keep levels to a minimum.
Keep level descriptions simple.
Define levels in policy.
Reclassify information as needed.
Data Classification
212
Databases can be individually protected with control that is similar to protections
applied at the system level. Specific controls that can be placed at the database
level include:
• Authentication and authorization access
• Access controls limiting or controlling the type of data that can be accessed and what
types of accesses are allowed (read-only, read-and-write or delete)
• Logging and other transactional monitoring
• Encryption and integrity controls
• Backups
Database Controls
213
Databases are vulnerable to many risks, including:
• Unauthorized activity by authorized users
• Malware infections or interactions
• Capacity issues
• Physical damage
• Design flaws
• Data corruption
Database Vulnerabilities
214
Database security may be increased through the following actions:
• Encryption of sensitive data in the database
• Use of database views to restrict information available to a user
• Secure protocols to communicate with the database
• Application of content-based access controls
• Restricting administrator-level access
• Efficient indexing to enhance data retrieval
• Backups of databases (shadowing, mirroring)
• Backups of transaction journals (remote journaling)
• Referential integrity
• Entity integrity
• Validation of input
• Defined data fields (schema)
• Layered network access restrictions or segregation
Database Security
215
Section 4: Security of Networks, Systems, Applications and DataReview Question
?
Any change, error or interruption within an IT
infrastructure is defined as:
A. A threat
B. An incident
C. An event
D. A vulnerability
Review Question
217
?
Which of the following is not a method of
controlling risk for remote access?
A. Denial of Service (DoS)
B. Policy and standards
C. Proper authorizations
D. Identification and authentication mechanisms
E. Encryption tools and techniques, such as use of
a VPN
F. Restriction of access to controlled systems,
networks and applications
Review Question
218
?
Which type of vulnerability is a failure to monitor
logs?
A. Process, related to errors in operation
B. Organizational, related to errors in decision-
making
C. Emergent, relating to interactions between or
changes in environments
D. Technical, related to errors in design,
implementation or configuration
Review Question
219
?
What phase of the SDLC comes after planning?
A. System testing
B. System design
C. System maintenance
D. System analysis
Review Question
220
?
Which following is not true about platform
hardening?
A. Does not store sensitive data not immediately
needed to support a business operation.
B. Has all unnecessary functionality disabled,
including ports, services and protocols that are
not required for the intended use.
C. Uses only passwords and accounts that have
been changed or disabled. No default
passwords or guest accounts are present.
D. Provides an enterprise with a significant
opportunity to increase efficiency and decrease
costs in its IT operations.
Review Question
221
You should now be able to:
• Determine, assess and respond to risk and
vulnerabilities on the network through
penetration testing.
• Identify key aspects and associated risks to
securing data, applications, operation
systems and the network.
Section Summary
222
223
Section 5:Incident Response
1. Distinctions between events and incidents
2. Incident categories and types
3. Security event management
4. Key elements of incident response plans
5. Legal requirements of investigation and
evidence preservation
6. Requirements for forensic investigations
7. Business continuity planning and disaster
recovery
Topics Covered in this Section
224
Upon completing this section you will be able to:
• Define event and incident.
• Define incident response and handling
methodologies.
• Identify the basic concepts, practices, tools,
tactics, techniques and procedures for
processing digital forensic data.
• Define business continuity plan.
Section Objectives
225
Topic 1:Event vs. Incident
A cybersecurity incident is an adverse event that negatively impacts the
confidentiality, integrity and availability of data.
The incident may be unintentional, such as someone forgetting to activate an
access list in a router.
Or it may be intentional, such as a targeted attack by a hacker.
Events may also be classified as technical or physical.
Technical incidents include viruses, malware, denial-of-service (DoS) and system
failure.
Physical incidents include social engineering and lost or stolen laptops or mobile
devices.
Types of Incidents
227
Topic 2: Security Incident Response
Incident response is a formal program that prepares an entity for an incident.
Incident response phases can be depicted as follows:
Incident Response Phases
229
Adequate incident response planning and implementation allows an organization
to respond to an incident in a systematic manner.
Development of an incidence response plan (IRP) aids in:
• Meeting compliance regulations (e.g., PCI, FDIC)
• Allowing the organization to respond to incidents in a systematic manner
• Improving response time and effectiveness
Incident Response Planning
230
The IRP is the first step in incident response. During the preparation phase, the
following should be completed:
• Establish an approach to handling incidents.
• Establish a policy and warning banners to deter intruders and allow information
collection.
• Establish a communication plan with stakeholders.
• Develop incident reporting criteria.
• Develop a process to activate the incident management team.
• Establish a secure location to execute the incident response plan.
• Ensure availability of needed equipment.
Preparing for an Incident
231
The next phase in incident response aims to verify if an incident has happened
and to find out more details about the incident. Steps in this phase include:
• Assign ownership to an incident handler.
• Verify reports or events qualifying as incidents.
• Establish the chain of custody.
• Determine incident severity and escalate as necessary.
Identifying an Incident
232
Actions taken in the containment phase of incident response work to limit
exposure. These include:
• Activate incident management/response team and notify appropriate stakeholders.
• Obtain agreement on actions taken that may affect availability.
• Get IT representative and relevant virtual team members to implement containment
procedures.
• Obtain and preserve evidence.
• Document actions.
• Control and manage communication to the public.
Containing an Incident
233
When containment measures have been deployed, it is time to determine the root
cause of the incident and eradicate it. Actions in this phase include:
• Determine signs and cause of incidents.
• Locate the most recent version of backups or alternative solutions.
• Remove the root cause.
• Improve defenses by implementing protection techniques.
• Perform a vulnerability analysis.
Eradicating the Root Cause
234
This phase of incident response ensures that affected systems or services are
restored to a condition specified in the service delivery objectives (SDO) or BCP.
Activities include:
• Restore operations to normal.
• Verify that actions taken on restored systems were successful.
• Involve system owners in testing the system.
• Aid system owners declare normal operation.
Recovering From an Incident
235
As a final step in the incident response process, a report should be developed to
share what has happened, what measures were taken and the results after the
plan was executed. Activities related to this include:
• Analyze issues encountered during incident response efforts.
• Propose improvements.
• Present report to relevant stakeholders.
Lessons Learned
236
?
CoolWeb Search is an example of what kind of
attack?
A. Trojan horse
B. Spyware
C. Ransomware
D. Phishing
E. Social engineering
Cyber Question
237
Topic 3:Forensics
Digital forensics can be defined as the “process of identifying, preserving,
analyzing and presenting digital evidence in a manner that is legally acceptable in
any legal proceedings (i.e., a court of law).”
Any electronic document or data can be used as digital evidence.
It must provide sufficient proof that the contents of digital evidence are in their
original state and have not been tampered with or modified during the process of
collection and analysis.
It is also important to demonstrate integrity and reliability of evidence for it to be
acceptable to law enforcement authorities.
Digital Forensics
239Source: McKemmish, D. Rodney. Computer and Intrusion Forensics, Artech House, USA, 2003
There are four phases in the chain of events related to evidence in digital
forensics.
Each phase and its primary focus are shown below.
Forensics Chain of Events
240
Consideration should be given to key
elements of forensics during planning
for audits and incidents.
Elements to be considered include:
• Data protection
• Data acquisition
• Imaging
• Extraction
• Ingestion or
normalization
• Interrogation
• Reporting
• Network traffic analysis
• Log file analysis
• Timelines
Forensics Key Elements
241
Forensics tools can be categorized as follows:
• Computer—Examines non-volatile digital media
• Memory—Acquires and analyzes volatile memory
• Mobile device—Observes both software and hardware components
• Network—Monitors and analyzes network traffic
• Other forensics tools include applications designed to automate analysis of large files,
such as those created by auditing software.
• Categories of these tools include audit reduction, trend or variance detection and
attack signature detection applications.
Digital Forensics Tools
242
Topic 4:Disaster Recovery and Business Continuity
Disasters are disruptions that cause critical information resources to be
inoperative for a period of time, adversely impacting organizational operations.
The disruption could be a few minutes to several months, depending on the extent
of damage to the information resource.
Disasters require recovery efforts to restore operational status.
What Is a Disaster?
244
The purpose of business continuity planning (BCP)/disaster recovery planning
(DRP) is to enable an enterprise to do the following:
• Continue offering critical services in the event of a disruption.
• Survive a disastrous interruption to activities.
• Rigorous planning and commitment of resources are necessary to adequately plan for
such a disaster event.
• BCP is primarily the responsibility of senior management.
Business Continuity Planning
245
Elements a successful BCP must take into consideration include the following:
• Critical operations necessary to the survival of the organization
• The human/material resources supporting these critical operations
• Pre-disaster readiness covering incident response management to address all relevant
incidents affecting business processes
• Evacuation procedures
• Circumstances under which a disaster should be declared.
• Procedures for declaring a disaster (escalation procedures)
• Identification of the persons responsible for each function in the plan
• Identification of contract information
• Step-by-step explanation of the recovery process
• Identification of the various resources required for recovery and continued operation of
the organization
Key BCP Considerations
246
The first step in preparing a new BCP is to identify the business processes of
strategic importance.
These are the key processes responsible for both the permanent growth of the
business and for the fulfillment of the business goals.
Based on this, a business impact analysis (BIA) process is used to determine the
time frames, priorities, resources and interdependencies that support the key
processes.
The BIA is the core source of data used in business continuity planning.
Business Impact Analysis
247
The BIA should answer three important questions:
• What are the different business processes?
• What are the critical information resources related to an organization’s critical business
processes?
• What is the critical recovery time period for information resources in which business
processing must be resumed before significant or unacceptable losses are suffered?
Key BIA Questions
248
?
Pegasus is the first known spyware on which of
the following?
A. iOS devices
B. Android devices
C. IoT devices
D. Cloud storage
Cyber Question
249Source: https://community.norton.com/en/blogs/security-covered-norton/internet-really-did-break-
today-and-heres-how-it-happened
The BIA also establishes the recovery point objective (RPO) and recovery time
objective (RTO) for each key process.
RPO is determined based on the acceptable data loss in case of a disruption of
operations.
It indicates the earliest point in time that is acceptable to recover the data, and
effectively quantifies the permissible amount of data loss in case of interruption.
RTO is the amount of time allowable for the recovery of a business function or
resource after a disaster occurs.
RPO and RTO
250
NIST defines the information and communications technology (ICT) supply chain
as “a complex, globally distributed and interconnected ecosystem that is long, has
geographically diverse routes, and consists of multiple tiers of outsourcing.”
This environment is interdependent on public and private entities for development,
integration and delivery of ICT products and services.
The complexity of supply chains and impact requires persistent awareness of risk
and consideration.
Factors such as economic, environmental, geopolitical and technological trends
and events must be incorporated into BIA and BCP analyses.
Supply Chain Considerations
251
The approach to IS BCP matches that of BCP for the greater organization, except
that its focus is on the continuity of IS processing.
The IS BCP should be aligned with the strategy of the organization.
If the IS plan is a separate plan, it must be consistent with and support the
corporate BCP.
Note that the criticality of the various application systems deployed in the
organization depends on the nature of the business as well as the value of each
application to the business.
IS BCP
252
In sum, the information system
BCP/DRP is a major component of an
organization’s overall business
continuity and disaster recovery
strategy.
The process of BCP is supported by
considered analysis of business
impacts.
Business Continuity Planning
253
Data recovery is the process of restoring data that has been lost, accidentally
deleted, corrupted or made inaccessible for any reason.
Recovery processes vary depending on the type and amount of data lost, the
backup method employed and the backup media.
Recovery
254
Backup procedures are used to copy files to a second medium such as a disk,
tape or the cloud.
Backup files should be kept at an offsite location.
There are three types of data backups: full, incremental and differential.
Backup
255
Full
• Copies every selected file on the system completely, regardless of recent backup status
• Slowest backup method, but fastest for restoring data
Incremental
• Copies all files that have changed since the last backup was made, regardless of whether the last backup was a full or incremental backup
• Fastest backup method, but slowest for restoring data
Differential
• Copies only the files that have changed since the last full backup
• The file grows until the next full backup is performed
Group Activity
Incident Response
Workmark is a benefits management company
with approximately 1,200 employees in a single
facility. The enterprise is highly dependent on
their internetworked systems to deliver services
to over 3,000 client organisations. Workmark’s
servers are virtualised in two data centres,
providing redundancy and geographic diversity.
Introduction
Benefits company, founded in 1997
Headquartered in Denver, Colorado with data centres in Denver and Texas
All employees work in the Denver facility. The data centre in Texas is operated by
a third party
Company Profile
Workmark primarily used Microsoft Windows for both server and desktop
operating systems. In each data centre, Workmark has 75 virtual Windows
servers. Each data centre also hosts five Linux servers and a small number of
specialised network appliances.
The Denver office has 800 desktop and laptop computers.
Technical Information
The data centres are connected via redundant virtual private network (VPN)
connections.
Each desktop and server runs an anti-malware solution that is managed from a
central server.
Most workstations use hard-wired Ethernet connections, but the laptop computers
and tablets used by the management team connect to a WPA2-secured Wi-Fi
network.
Technical Information
IT Organization
CIO
CISOVP IT
OperationsVP Development
Application
Development
Team
Security
Operations Team
Network
Operations
Server
Operations
Client Operations
Web
Development
Team
The Security Operations Team (SOT) consists of a manager and eight analysts.
This team operates a 24/7 Network Security Operations Centre (NSOC). The
NSOC monitors the alerts from the Security Event Information Management
system (SEIM). The NSOC is also the primary point of contact for any security
related events other teams may encounter.
Security Operations TEAM
You are the manager of the Security Operations Team (SOT). As manager, you
are the escalation point for the SOT. It is your responsibility to determine whether
an event is an incident and what the response should be.
Your Role
At 2:00 a.m., you receive a call from a junior security analyst who is assigned to
the network security operations centre. The network engineers have reported a
sudden increase in network traffic from a virtual machine, including what appears
to be port scans of the internal network and large amounts of egress traffic
blocked at the firewall.
You ask the junior analyst if he has declared an incident. He tells you that he was
not sure if it was an event or an incident and that he needs guidance.
Scenario
Detail the difference between an event and an incident for the junior analyst.
Describe ways to determine if this is, in fact, an incident or just an event.
Tasks
Based on the information from the junior analyst, you declare an incident.
Grudgingly, you drive to the office to begin incident response procedures.
Upon initial analysis, you find that a privileged account on the virtual server is
scanning the internal network and trying to connect to several external sites.
The server appears to be compromised by some sort of malware that was not
detected by your anti-malware system. Monitoring the network traffic reveals that
the system is scanning for hosts using 135 and 445, well-known Windows ports.
Scenario, continued
Scenario, continued
Source: ISACA, CSX Cybersecurity Fundamentals Study Guide, USA, 2014, p. 94
1. Describe the appropriate steps within each of the incident
response phases above. What should have been included in the
preparation phase to prepare for an incident like this?
2. Which information should be gathered in the detection and
analysis phase, and who should be contacted?
3. Describe the importance of the containment, eradication and
recovery steps.
4. What sort of post-incident activity should be conducted and who
should notified.
5. Referencing the iterative nature of incident response, what
information should be fed back into the preparation stage?
Discussion Questions
Section 6:Security Implications and Adoption of Evolving Technology
1. Trends in the current threat landscape
2. Characteristics and targets of advanced
persistent threats (APTs)
3. Mobile device vulnerabilities, threats and risk
4. The consumerization of IT and mobile
devices
5. Risk and benefits of cloud and digital
collaboration
Topics Covered in this Section
270
Upon completing this section you will be able to:
• Identify the possible cybersecurity
implications for adaption of evolving
technology.
Section Objectives
271
Topic 1: Current Threat Landscape
Increasing dependence on digital
technologies makes organizations more
susceptible to cybersecurity risk.
Cybersecurity Risk
273
A threat landscape, also referred to as a threat environment, is a collection of threats.
The cybersecurity threat landscape is constantly changing.
Recent trends in the cyberthreat landscape include:
• Threat agents are more sophisticated in their attacks and use of tools.
• Attack patterns are being applied to mobile devices.
• Nation states have the capabilities to infiltrate government and private targets (cyberwarfare).
• Cloud computing results in large concentrations of data within a small number of facilities,
creating attractive targets for attackers.
• Social networks have become a primary channel for communication, knowledge collection,
marketing and dissemination of information.
• The popularity of big data as an asset allows for the potential for large scale breaches.
Threat Landscape
274
Source: ENISA, ENISA Threat Landscape 2015, Greece, 2016
Information from ENISA (2015) shows the following trends in the threat
landscape:
Recent Trends in Cybersecurity
275
Increasing
• Malware
• Web-based attacks
• Web application attacks
• Denial of service
• Insider threats (malicious or accidental)
• Exploit kits
• Information leakage
• Ransomware
• Cyber espionage
Stable
• Physical damage/theft/ loss
• Phishing
• Data breaches
• Identity theft
Declining
• Botnets
• Spam
Topic 2: Advanced Persistent Threats
Evolution of the Threat Landscape
277
An advanced persistent threat (APT) is a targeted threat that is composed of
various complex attack vectors and can remain undetected for an extended
period of time.
Unlike many other types of criminal acts, it is not easily deflected by a determined,
defensive response.
In addition, APTs have the following characteristics:
• Unprecedented degree of planning, resources employed and techniques used
• Often follow a particular modus operandi
What is an Advanced Persistent Threat?
278
APTs target companies of all sizes across all sectors of industry and all
geographic regions that contain high-value assets.
No industry with valuable secrets or other sources of commercial advantage that
can be copied or undermined through espionage is safe from an APT attack.
APT attacks often encompass third-party organizations delivering services to
targeted enterprises.
APT Targets
279
THREAT WHAT THEY SEEK BUSINESS IMPACT
Intelligence agencies Political, defense or commercial
trade secrets
Loss of trade secrets or
commercial, competitive
advantage
Criminal groups Money transfers, extortion
opportunities, personal identify
information or secrets for potential
onward sale
Financial loss, large-scale
customer data breach or loss of
trade secrets
Terrorist groups Production of widespread terror
through death, destruction and
disruption
Loss of production and services,
stock market irregularities, and
potential risk to human life
Activist groups Confidential information or disruption
of services
Major data breach or loss of
service
Armed forces Intelligence or positioning to support
future attacks on critical national
infrastructure
Serious damage to facilities in the
event of a military conflict
APT Sources of Threat
280
Although no two APT attacks are
exactly alike, they often follow a similar
life cycle beginning with target selection
and research.
Stages of an APT Attack
281
Topic 3: Mobile Technology - Vulnerabilities, Threats and Risk
Security for mobile technology is a
function of the risk associated with its
use.
Threats related to mobile technology
include those listed here.
1. Improper platform usage
2. Insecure data storage
3. Insecure communication
4. Insecure authentication
5. Insufficient cryptography
6. Insecure authorization
7. Client code quality
8. Code tampering
9. Reverse engineering
10. Extraneous functionality
Security for Mobile Technology
283
Activity Monitoring and Data Retrieval
Unauthorized Network Connectivity
Web View/User Interface (UI) Impersonation
Sensitive Data Leakage
Unsafe Sensitive Data Storage
Unsafe Sensitive Data Transmission
Drive-by Vulnerabilities
Mobile devices present a number technical risks, in addition to physical and
organizational risks.
Technical Risk
284
TARGET RISK
Messaging •Generic attacks on SMS text, MMS-enriched transmission of text and contents
•Retrieval of online and offline email contents
•Insertion of service commands by SMS cell broadcast texts
•Arbitrary code execution via SMS/MMS
•Redirect or phishing attacks by HTML-enabled SMS text or email
Audio •Covert call initiation or call recording
•Open microphone recording
Pictures/Video •Retrieval of pictures and videos by piggybacking the usual “share” functionality
in most apps
•Covert capture of video or pictures, including traceless wiping of such material
Geolocation Monitoring and retrieval of GPS positioning data, including date and time stamps
Static data Intelligence or positioning to support future attacks on critical national
infrastructure
History Monitoring and retrieval of all history files in the device or on SIM cards (calls,
SMS, browsing, input, stored passwords, etc.)
Storage Generic attacks on data and device storage (hard disk or solid state disk [SSD])
Activity Monitoring and Data Retrieval Risk
285
VECTOR RISK
Email Simple to complex data transmission (including large files)
SMS Simple data transmission, limited command and control (service
command) facility
HTTP get/post Generic attack vector for browser-based connectivity, command and
control
TCP/UDP
socket
Lower-level attack vector for simple to complex data transmission
DNS
exfiltration
Lower-level attack vector for simple to complex data transmission,
slow but difficult to detect
Bluetooth Simple to complex data transmission, profile-based command and
control facility, generic attack vector for close proximity
WLAN/WiMAX Generic attack vector for full command and control of target,
equivalent to wired network
Unauthorized Network Connectivity Risk
286
The amount of storage space found on many devices is growing and, on average,
almost any device will soon be capable of storing several gigabytes of data.
This increases the risk of data leakage, particularly when mobile devices store
replicated information from enterprise networks.
Sensitive data leakage can be inadvertent or can occur through side channel
attacks.
Side channel attacks over prolonged periods of time allow the building of a
detailed user profile in terms of movements, behavior and private/business habits.
Users who may be considered at risk may require additional physical protection.
Sensitive Data Leakage
287
The use of mobile devices often increases the risk associated with unsafe storage
and transmission.
Risk Associated With Mobile Data Storage and Transmission
288
Unsafe Sensitive Data Storage
• Applications may store sensitive data such as credentials or tokens as plaintext.
• Data stored by the user is often replicated without encryption.
• Standardized files such as presentations and spreadsheets are stored unencrypted for quick access and convenience.
• Mobile devices are often associated with cloud storage, which itself adds risk.
Unsafe Sensitive Data Transmission
• Mobile devices predominantly rely on wireless data transmission, creating a risk of unauthorized network connectivity, particularly when using a wireless LAN.
• Users are likely to use unsecured public networks for data transmission.
• Automatic network recognition, a common feature in mobile OSs, may link to WLANs available in the vicinity, memorizing Service Set Identifiers (SSIDs) and channels and paving the way for evil twin attacks.
Mobile device size restricts display and edit capabilities.
Word processing, spreadsheet and presentation software is optimized for opening and reading only, but the documents may contain active
hyperlinks, macros and embedded documents.
This is known as an attack vector for malware and other exploits. Mobile apps may not recognize malformed links or provide adequate warnings to users.
Users can be harmed by insertion of illegal material, inadvertent use of “premium” services via SMS/MMs or bypass of authentication mechanisms.
The restricted nature of mobile device applications leads to an increased risk of
drive-by attack.
Drive-by Vulnerabilities
289
?
In 2016, the Mirai botnet malware using a
Distributed Denial of Service (DDoS) attack
flooded a DNS server. It is the first known attack
on this type of device?
A. iOS devices
B. Android devices
C. IoT devices
D. Cloud storage
Cyber Question
290Source: https://community.norton.com/en/blogs/security-covered-norton/internet-really-did-break-
today-and-heres-how-it-happened
Topic 4:Consumerization of IT and Mobile Devices
Consumerization of IT is the reorientation of technologies and services designed
around the individual end user. Examples include:
• Smart devices such as smartphones and tablets
• BYOD strategies
• New, freely available applications and services
• Consumerization is not limited to devices.
• New, freely available applications and services provide better user experiences for
things like note-taking, video conferencing, email and cloud storage than their
respective corporate-approved counterparts.
• Instead of being provided with company-issued devices and software, employees are
increasingly using their own solutions that fit with their lifestyle, user needs and
preferences.
Consumerization of IT
292292
The use of privately owned mobile devices for work purposes has quickly taken
hold.
This trend is both positive and negative.
The downside is a proliferation of devices with known (or unknown) security risk,
and the formidable challenge of managing device security against several
unknowns.
In contrast, BYOD is becoming an important job motivation factor, because
employees are no longer willing to accept technology restrictions.
Bring Your Own Device
293
PROS
• Shifts costs to user
• Worker satisfaction
• More frequent hardware upgrades
• Cutting-edge technology with the latest features and capabilities
CONS
• IT loss of control
• Known or unknown security risk
• Acceptable Use Policy is more difficult to implement
• Unclear compliance and ownership of data
294
Pros and Cons of BYOD
294
The Internet of Things (IoT) refers to physical objects that possess embedded
network and computing elements and communicate with other objects over a
network.
Although specific risk depends on usage, IoT creates several types of risk.
Internet of Things
295
Business Risk
• Health and safety
• Regulatory compliance
• User privacy
• Unexpected costs
Operational Risk
• Inappropriate access to functionality
• Shadow usage
• Performance
Technical Risk
• Device vulnerabilities
• Device updates
• Device management
Big data is both a marketing and a technical term referring to a valuable
enterprise asset—information.
Big data relies on data sets that are too large or too fast-changing to be analyzed
using traditional database techniques or commonly used software tools.
The change in analytics capabilities dealing with big data can introduce technical
and operational risk, including:
• Amplified technical impact—Larger data sets are in jeopardy if attacked
• Privacy in data collection—Individuals may feel that revealed information is overly
intrusive
• Re-identification—During aggregation, semi-anonymous information may be converted
to identifiable information, compromising individual privacy
Big Data
296
Topic 5:Cloud and Digital Collaboration
NIST defines “cloud computing” as a “model for enabling convenient, on-demand
access to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction.”
Cloud computing offers enterprises a way to save on the capital expenditure
associated with traditional methods of managing IT.
Common platforms offered in the cloud include:
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
Cloud Computing
298
Cloud computing-related risk can lead to a number of different threat events. The
Cloud Security Alliance lists the following as top cloud computing threats:
• Data breaches
• Data loss
• Account hijacking
• Insecure application programming interfaces (APIs)
• Denial-of-service (DoS)
• Malicious insiders
• Abuse of cloud services
• Insufficient due diligence
• Shared technology issues
Top Cloud Computing Threats
299
Enterprises often use SaaS offerings, sometimes extending this use to critical
business processes and related applications.
These service offerings bring business advantages, but they also generate data-
in-flow vulnerabilities that may be exploited by cybercrime and cyberwarfare.
SaaS increases risk at the application layer, including these attack vectors:
• Zero-day exploits
• Primary malware
• Secondary malware
Web Applications
300
Social media technology involves the creation and dissemination of content
through social networks using the Internet.
The differences between traditional and social media are defined by the level of
interaction and interactivity available to the consumer.
Use of social media has created highly effective communication platforms where
any user, virtually anywhere in the world, can freely create content and
disseminate this information in real time to a global audience.
Enterprises are using social media to increase brand recognition, sales, revenue
and customer satisfaction; however, there is risk associated with its usage.
Social Media
301
Risks associated with a corporate social media presence include:
• Introduction of viruses/malware to the organizational network
• Misinformation or misleading information posted through a fraudulent or hijacked
corporate presence
• Unclear or undefined content rights to information posted to social media sites
• Customer dissatisfaction due an expected increase in customer service response
quality/timeliness
• Mismanagement of electronic communications that may be impacted by retention
regulations or e-discovery
Risks of Enterprise Use of Social Media
302
Risks associated with employee personal use of social media include:
• Use of personal accounts to communicate work-related information
• Employee posting of pictures or information that link them to the enterprise
• Excessive employee use of social media in the workplace
• Employee access to social media via enterprise-supplied mobile devices
(smartphones, tablets)
Risks of Employee Use of Social Media
303
Section 6: Security Implications and Adoption of Evolving TechnologyReview Question
?
Which of the following are cloud related threats?
A. Data breaches
B. Data loss
C. Account hijacking
D. Insecure application programming interfaces
(APIs)
E. Denial-of-service (DoS)
F. All the above
Review Question
305
?
All of the following are business risks for IoT
devices except for which of the following?
A. Health and safety
B. Performance
C. Regulatory compliance
D. User privacy
E. Unexpected costs
Review Question
306
?
Which of the following is an advantage for
BYOD?
A. Shifts costs to user
B. IT loss of control
C. Known or unknown security risk
D. Acceptable Use Policy is more difficult to
implement
E. Unclear compliance and ownership of data
Review Question
307
?
Which of the following are risks associated with
corporate social media?
A. Introduction of viruses/malware to the
organizational network
B. Misinformation or misleading information posted
through a fraudulent or hijacked corporate
presence
C. Unclear or undefined content rights to
information posted to social media sites
D. Customer dissatisfaction due an expected
increase in customer service response
quality/timeliness
E. All the above
Review Question
308
?
What is the APT threat type if the business
impact is the loss of trade secrets or
commercial, competitive advantage?
A. Intelligence agencies
B. Criminal groups
C. Terrorist groups
D. Activist groups
E. Armed forces
Review Question
309
You should now be able to:
• Identify the possible cybersecurity
implications for adaption of evolving
technology.
Section Summary
310
Now that you have completed this course you
should be able to:
• Identify key concepts and terminology in
cybersecurity.
• Define the key concepts, roles and domains of
cybersecurity.
• Identify the various types of cybersecurity
architecture.
• Identify the key components of securing networks,
systems and applications and data.
• Identify and incident and outline the phases of
incident response.
• Identify the possible cybersecurity implications for
adaption of evolving technology.
Course Summary
311
THANK YOU