Cyber Security & Resilience
CIS benchmarks
- 100+ configuration guidelines for various technology groups, enable you to safeguard operating systems, software and networks that are most vulnerable to cyber attakcks - CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.
WannaCry
- 230'000 infected devices in 150 countries - Switzerland: 204 infections; Only citizens and SME, no critical infrastructure
ISO 27k family
- 27000: ISMS overview & vocabulary standard (includes definitions) - 27001: requirements requirements for establishing, implementing, maintaining and continually improving ISMS (most famous one) - 27002: ISMS controls (code of practice that recommends a large number of information security controls & control objectives) - 27003: ISMS implementation guidelines - 27005: Risk management (includes list of threats) - 27007: ISMS audit (provides guidance on managing an ISMS audit programme, on conducting audits, and on the competence of ISMS auditors) - 27039: cyber risks IDPS (guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an ISMS)
Resilience
- Ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning - Ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognisable effect - Ability to prepare for and adapt to changing condition and withstand and recover rapidly from disruptions
How do they hack?
- Advanced Persistent Threats & cyber kill chain - Tactics, techniques & procedures
Cautions in regard to culture change
- a culture cannot be created but shaped and directed - developing a strong culture is not a project, it' s a never-ending process
Properties of a blockchain
- All transactions of a blockchain are public and can be seen (public blockchain) - There is no central instance who can control the blockchain - Blockchain data is stored multiple times in a network (redundant) and is protected against manipulation and destruction - Changes in the blockchain protocol can only happen when all active nodes share its consensus - A blockchain can split (fork) temporarily or definitely; there are hard and soft fork (new, incremental) - Most important ability of a blockchain is to handle transaction over the internet
How to prevent defacements
- Always keep CMS (wordpress, Joomla, etc.) up to date - Regularly make a visual control of the content of your website - Correct any anomalies asap - Inform MELANI/CYCO - If desired: criminal complaint at the cantonal police
We are just starting our ISO27k programme, which information risk analysis method/s could we use?
- Analog Risk Assessment (ARA) is a deceptively simple creative method to analyze, visualize, report, compare and consider risks subjectively according to their relative probabilities of occurrence and impacts. It uses Probability Impact Graphs (PIGs) to represent disparate risks on a directly comparable basis - COBIT from ISACA provides a comprehensive model guiding the implementation of sound IT governance processes/systems, including to some extent information security controls. It is widely used by SOX and IT auditors - o COSO ERM (the Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management framework), is a widely used general structure/approach to managing all forms of organizational risk - ISO 31000 offers guidance on the principles and implementation of risk management in general (not IT or information security specific).
three levels of cutlure
- Artifacts -> what you see and hear -> visible organisational structures and processes - Espoused beliefs and values -> culture theatre -> strategies, goals, philosophies -Underlying assumptions -> actual essence of culture -> unconscious, taken for granted beliefs, perceptions, thoughts and feelings
How to prevent crypto trojans
- Backups - Disconnect external disks after backup - Check the backup quality from time to time - Do not pay any ransom - Inform MELANI/CYCO - If desired: criminal complaint at the cantonal police
What is my intended outcome? the 5 most important things that have to be provided even during/after an incident
- Before incident -> identify/properly define your intended outcome and plan for possible security incidents - During incident -> detect the issue and ensure basic business delivery (e.g. provide backup website (if that is the most important platform of the business) - After incident -> restore regular business delivery and adapt delivery mechanisms to avoid issue in future
Impact of a risk-based cyber security frameworks on organisations
- Better able to identify and prioritise security risks - Better able to quickly detect and mitigate security incidents - Sensitive data is more secure
Cyber security & blockchain today
- Blockchain's current level of security from a system and data perspective for both public and private ledgers - Uses the CIA triad model, composed of three areas: confidentiality, integrity and availability to assess the current level of maturity of the technology - The importance of Authentication, Authorization and Audit (AAA), and Non-Repudiation, as fundamental security aspects for protecting information and designing / managing new systems and networks is also addressed
Properties of blocks
- Blocks are made out of random transactions, and their syntax correctness is checked - There is no inner order within the blocks, or how the blocks are allocated - The order of the blocks represents the timed building of the blocks and is important - A later manipulation of transactions or blocks (also its order) is not possible
Smart home consumer
- Boomers: save money - Genxers: keep home safe - Millenials: it's cool
Center for internet security controls (CIS)
- CIS is a non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats - CIS Controls and CIS Benchmarks are global industry best practices endorsed by leading IT security vendors and governing bodies for securing IT systems and data against the most pervasive attacks - Mission: Identify, develop, validate, promote, and sustain best practice solutions for cyber defense - security metrics: sigma levels
ISACA's Cybersecurity Nexus (CSX)
- CSX is designed to help fortify and advance the industry by educating, training and certifying a stronger, more skilled workforce that can keep organizations and their information secure-now and in the future - ISACA offers a wide range of cyber security related resources & certifications - Certificates are aligned with NIST (fundamental, practitioner, manager) - Lists 10 possible threats like cybercrime, DDoS, social engineering, malware, etc. with 72 control options - offers a certification programme
How to prevent espionage
- Classify your documents - Enforce the rules for the different types of classification - Network monitoring - Inform MELANI/CYCO - if desired: criminal complaint at the cantonal police
requirements for a cryptographic hashfunction
- Collision free - Stochastic
Communication - the network
- Communication requirements vary widely depending on purpose and resource constraints - some wireless communication protocols -> short-range radio protocols (e.g. Bluetooth, Wi-Fi, near field communication (NFC) or radio frequency identification (RFID)), mobile networks and longer-range radio protocols - combination of different protocols within IoT ecosystems is a common practice using gateways to ensure interoperability (bring different protocols together)
(Triade) CIA model
- Confidentiality: a set of rules that limits access to information - Integrity: the assurance that the information is trustworthy and accurate - Availability: a guarantee of reliable access to the information by authorized people
Conclusion blockchain
- Uses cryptography and is immutable aka is secure - Stores data in form of hashes and equally distributes it among participants - Can take form of public, private or permissioned blockchain - Participants are nodes and consensus algorithms are miners
Types of cyber security
- Critical infrastructure: cyber-physical systems like electricity grid, water purification, traffic lights, hospitals (solution: perform due diligence & create contingency plan) - Network security: unauthorized intrusion, malicious insiders (solution: to manage network security monitoring, use ML to flaf abnormal traffic & alert) - Cloud security: Poorly configured cloud instances (solution: establish due diligence) - Application security (solution: secure coding, fuzzing, penetration testing) - Internet of things (IoT) security (e.g. Appliances, Sensors, Printers, security cameras)
Reactive recommendations against cyber crime
- Crucial question: Block systems: yes or no? - Support: CI-operators (MELANI), SME/citizens (CYCO) Criminal complaint: Companies (cantonal police in charge for your headquarter), Citizens (cantonal police in charge for your living place)
Cryptographic functions
- Cryptographic hashfunctions - Asymmetric encryption - Digital signature
Difference cyber incident and cyber event
- Cyber incident is an adverse and unplanned event (mostly negative). - cyber event is a planned event (e.g. practicing)
Cyber resilience
- Cyber resilience refers to the ability to continuously deliver the intended outcome despite adverse cyber events (caused by human or nature) - Continuously: deliver the intended outcome even when regular delivery machanisms have failed
ISACA CSX example control: security awareness training
- Cybersecurity awareness is a key success factor in supporting and sustaining all other controls. - Awareness is usually maintained through training / education and through campaigns that communicate key messages. In practice, most enterprises operate information security awareness programs including specific training and education opportunities. - For cybersecurity purposes, both awareness messages and training should be more specific but nevertheless broad enough to reach all associates and contractors. It is noted that cybersecurity awareness is a direct function of the "tone at the top" and open, active senior management support.
DAD model
- Disclosure: unauthorised individuals gain access to confidential information - Alteration: data is modified through some unauthorised mechanism - Denial: authorised users cannot gain access to a system for legitimate purposes - DAD activities may be malicious or accidental
Why management should ask for ISMS-implementation?
- Duty of board members => depending on «risk-appetite» - Internal / external audits (recurring) - Reportings (recurring) - Continuous improvement - Lower your security costs - Customer trust / reputation in the market - Use gathered information for questionnaires / due diligence
Properties of a blockchain transaction
- Each transaction can be assigned to one or several participants (owners) using their signature - The originator is namely not known, but only his public key - The origin depends only on the private key - There is an unlimited number of key pairs - The message (semantic) correctness of the transaction is given by the digital signature - The formal (protocol, syntax) correctness of the transaction is verified by the network
Distributed ledger
- Has no central server or authority - Everyone (aka node) on the network has a copy of the ledger - A huge variety of information can be stored on a distributed ledger -Transparent but anonymous ledger: Ledger can be public while concealing identity - Append-only ledger: Each entry (aka block) is linked to the previous entry via some math (aka hash); Some nodes (aka miners) are paid for performing calculations (aka proof of work) - Immutable ledger: Attacks to ledger are impractical due to the need for a majority of nodes (aka 51% attack) to agree to a change and the computational power required
How to prevent CEO fraud
- Have clear directions and guidance for financial transactions - Don't give internal information to third parties - Ask the management in case of doubt - Also be careful with email coming from people you seem to know - Inform MELANI/CYCO - If desired: criminal complaint at the cantonal police
Detecting an incident
- Implement a logging system that records events related to user authentication, account mgmt. and access rights - Monitoring of device behaviour - Auditing of security-relevant events
Information security
- InfoSec is the practice of preventing unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information (electronic or physical) - primary focus is the balanced protection of the confidentiality, integrity and availability of data (CIA triad) while maintaining a focus on efficient policy implementation, all without hampering organisation productivity
Embedded - the processing unit
- IoT devices can also be found as embedded systems, based on a processing unit, memory, connectivity and power supply that enables them to process data on their own - Some examples of devices that contain embedded systems comprise medical implants, wearables such as smart watches, connected lights, smart thermostats
Blockchain
- Is a specific type of distributed ledger - Can store:, Financial* transactions, Property records*, Shipments* and inventory*, Executable code* (smart contracts) , Steps*?*basically all electronic data in different, specified forms
Authentication factors
- Knowledge factors = Something the user knows (password, PIN, shared secret) - Possession factors = Something the user has (ID, card, security token, smartphone) - Inherence factors = Biometrics, something the user is; Personal attributes mapped from physical characteristics (fingerprints, face and voice); Behavioural biometrics (keystroke dynamics, gait, speech patterns) - (location & time)
How to prevent attacks against mobile
- Make sure that you authenticate a login and not a payment - Read the whole text: check the amount, IBAN, name, etc. which is displayed on your mobile phone - Only download apps from official stores - Inform your bank immediately, should you get an unexpected mTAN
Purpose of MELANI
- Wants to ensure security of computer systems and the internet as well as the protection of critical national infrastructures in Switzerland (only possible in close cooperation with Swiss economy - public private partnership) - MELANI analyzes cyber activities and raises awareness, tries to prevent security breaches and preventatively informs potential victims in advance
Cyber threat actors
- Nation-states (espionage and cyber warfare - victims include government agencies, infrastructure, energy and IP-rich organisations) - Insiders (employees & trusted third parties with access to sensitive data) - Extremists (disruption and cyber warfare; victims include government agencies, infrastructure and energy) - Organised crime syndicates (theft of financial or personally identifiable information - victims include financial institutions, retailers, medical and hospitality companies) - Hacktivists (service disruptions or reputational damage; victims include high-profile organisations and government)
consensus algorithm
- New transactions are sent to the network - All active nodes collect them and form a block - The fastest node writes the next block - All the other nodes verify the block, and if it is valid it will be added as a new block
How to prevent phishing
- No Swiss bank asks its clients by phone or email for their credentials - Be careful if emails ask for an action or contain threats - Contact your bank immediately - Inform MELANI/CYCO - If desired: criminal complaint at the cantonal police
Frame conditions for MELANI
- No mandatory disclosure of cyber attacks - Subsidiary - No right of command outside the federal government
Segregation of duties (SoD)
- Not providing a critical combination of functionality to the same user - Should be risk based (the business process is leading, the system should fit) - Examples: Maintenance of vendor master data AND posting invoices, Release blocked sales order AND billing
Access controls are important in the areas of
- Physical access to your premise, rooms, etc. - Logical access to applications, operating systems, databases, networks and technology (e.g. artificial intelligence) - Organisational controls (e.g. policies and procedures)
How to prevent DDoS and how to react
- Prevention = Ask your ISP for preventive measures - Reaction = Sit out, Don't pay any ransom, inform MELANI/CYCO, If desired: criminal complaint at the cantonal police
Problem with password-based authentication
- Requires knowledge and diligence to create and remember strong passwords - Password require protection from many inside threats, like carelessly stored sticky noted with login credentials, old hard drives and social-engineering exploits - Passwords are also prey to external threats, such as hackers using brute-force, dictionary or rainbow table attacks
Cybersecurity actors
- Script kiddies - hacktivism - terrorism - insiders - organized crime - governments
Success factor for CSC implementation
- Secure buy-in at the highest level - Do not re-invent the wheel - Use existing sources to guide your programme (ENISA) - Check existing good practices - Know your organisation (there is no one-size-fits-all) - Measure your progress (but be aware that cultural change takes time) - CSC can only be shaped collaboratively, not imposed!
IOTA
- Secure data exchange between devices = smart decentralisation - Distributed ledger technology for IoT = peer-to-peer network for machines through machines without transaction fees - basic element of IOTA is the "Tangle" = distributed database set up as a P2P network and based on consensus mechanisms
Concept of IoT
- Sensors -> the input units (Generate associated quantitative data, which can be processed in real-time, or stored for later retrieval, e.g. accelerometers, temperature sensors, pressure sensors, light sensors and acoustic sensors) - Actuators -> the ouput units (operate in the reverse direction of a sensor. It takes an electrical input and turns it into physical action, e.g. actuators of smart lamps make use of the signal coming from a light sensor to regulate brightness)
Difference standards and frameworks
- Standards are the most established and recognised: ISO / 27K, 270XX, SCRUM - Frameworks are funded by a specific group: e.g. COBIT, CMMI (process mgmt.), PRINCE2, Hermes, PMBOK (project mgmt.)
COBIT 5
- Stands for: Control Objectives for Information and related Technology - Is useful to align security with business strategy and objectives - Included guides: COBIT 5 for Information Security, Assurance and Risk - CSX: dedicated to cyber events - Takes a number of other standards and frameworks into account - Has a huge GRC part with a defined process model = • Leading framework for the governance and management of enterprise IT
ISO 27k
- Stands for: International Organization for Standardization - Provides a set of checklists to assess if company is operationally well-established with regard to security considerations - Takes a top-down approach (BSI is rather bottom-up) - ISO methodology is focused on value chain for breaking down company operations into business functions and into activity groups - ISO 27001 includes requirements for whole lifecycle: Organization, leadership, planning, support, implementing, monitoring and improving
NIST
- Stands for: National Institute of Standards and Technology - Can offer utility around tactical or network-level topological security - Framework is voluntary guidance for critical infrastructure organizations to better manage and reduce cybersecurity risk - Designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders - Was founded in 1901 and is part of US Department of Commerce - Includes cybersecurity framework which consists of three components: Core, implementation tiers and profiles - Core functions: Identify, Protect, Detect, Respond, Recover - Each core function consists of several categories, subcategories & references to other standards such as ISO and COBIT 5 - Framework does state desired outcome per subcategory but not how an organization must achieve the desired state - framework is technology-neutral
Who hacks?
- States - Hacktivists: do it either for the lols (fun, technology, chaos), for the collective (politics, society, disobedience) or for the politics (ideology, show of force, rivarly) - Criminals
Proactive recommendations against cyber crime
- Strong passwords/change passwords regularly - Firewall (blacklist etc.) - Updates - Backups - Technical measures are not enough - Respect organisational measures such as BCM, crisis communication, etc.
IoT can be put into 3 categories
- Things that gather information - Things that send information back - Or both
NIST core
- a set of desired cybersecurity activities and outcomes - core guides organizations in managing and reducing their cyber-security risks in a way that complements an organization's existing cybersecurity and risk management processes - core is designed to be intuitive and to act as a translation layer to enable communication between multi-disciplinary teams by using simplistic and non-technical language - consists of three parts: functions, categories and subcategories - includes 5 high level functions: identify, protect, detect, respond, recover
Hashfunction
- algorithm, which transforms an undefined input (signs) into a number with fixed length - Applications: Indexing of large datasets - Fast to calculate, deterministic, not reversible
5 common questions from CEO to CISO
- are we within our risk appetite? - what is the likelihood of risks that could cost us 50 million? - how much have you reduced our exposure to risk? - where are our biggest gaps btw. threats & controls? - what controls are least contributing to reduction of our risks?
NIST tiers
- assist organizations by providing context on how an organization views cybersecurity risk management - tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget - Risk management process, integrated risk management program and external participation are measured in tiers o Tier 1 = partial o Tier 2 = risk informed o Tier 3 = repeatable o Tier 4 = adaptive - Note: Tiers do not represent maturity levels.
How to identify phishing scams
- be catious with links (destination mostly not what it claims to be) - watch for typos (mostly bad grammar used and not your personal name) - do an online search (running scams can be found quickly online) - check your online accounts (have I been pwned?) - have strong security software (better safe than sorry)
Bitcoin
- cryptographic hash function (SHA 256, bitcoin mining is the decentralised storage of the data) - asymmetric encryption (can be divided into very small units) - digital signatures (signature of transaction) - scripts (instructions used to execute Bitcoin transactions; needed are addresses input-addresses output)
blockchain application scenarios
- data integrity (CSR) - notary/registry services - transaction/crypto-currency = data integrity proof is created & stored in a blockchain
Benefits of ethical hacking
- discovering vulnerabilities from an attacker's point of view so that weak points can be fixed - defending national security by protecting data from terrorists - gaining the trust of customers and investors by ensuring the security of their products/data - helping protect networks with real-world assessments - defending national security by protecting data from terrorists - implementing a secure network that prevents security breaches
Generic requirements of access controls
- flexibility (to what extent the authorisation structure is adaptable to changes in the organisational structure and how specific authorisations can be assigned to end users) - maintainability (simplicity of changes in roles, how the authorisation concept as a whole can be overseen) - transparency (how the authorisation concept can be reviewed and can be understood by both administrators and business users) - security (how roles enable the required segregation of duties (SOD) and how authorisations can prevent the execution of (critical) activities by unauthorised users)
Access control challenges
- governance & org. set-up (lack of strategic alignment, security design, ownership) - security & provisioning processes (insufficient/inaccurate information, lack of risk/quality controls) - access architecture (lack of flexibility to respong to changes, lack of scalability to grow with org.)
what does the organisation ISACA stand for? which group of professionals is interested in an ISACA certification?
- information systems audit and control association - target professionals: IS auditor, consultant, enducator, IS security professional, regulator, chief information officer, chief information security officer, internal auditor
digital signature
- method to secure the authenticity (origin) and integrity of a digital document (message, software) - The hash value of a document is encrypted with a private key (digital docuement signature). Sender sends the (unencrypted) document with signature to the receiver. The receiver encrypts the signature with the public key of the sender and takes its hash. Now the receiver compares the resulting hash with the hash of the document and they need to match. Nobody except the owner of the private key is able to create a digital signature to a matching public key.
DAD/CIA model
- models designed to guide policies for information security within an organisation - How to be more secure, important in IT projects (run smoothly and safely)
Name and explain the 5 characteristics of cyber resilience
- objective: ensure business delivery - intention: safe-to-fail - architecture: multi layered protection - scope: holistic, network of systems/organisation - approach: build security from within
NIST profiles
- organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core - profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization
Blockchain forms
- public, private or permissioned: public - everyone with a node can participate, private - I decide who in my "home" can access, permissioned - what most companies use, certain restrictions for data - open source/closed source code: More vs less transparent - with/without tokkens: not all hyper ledgers might support them - with/without smart contracts: automation
What does MELANI try to do?
- raises awareness for users (preventative actions) - tries to filter spam - tries to block download servers after having analysed the malware - hinders money mule recruitment - warns potentially targeted banks
Principled performance
- reliable achievement of objectives while addressing uncertainty and acting with integrity - for an organization to succeed, it must find ways of consistently evaluating unknowns
Need of CSC
- rise of cybercrime and economic costs of attacks -shortcoming of existing means
Cyber kill chain
- series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs). - steps: reconnaissance, lateral movement, data exfiltration
Supply chain
- system of organisations, people, activities, information and resources involved in moving a product or service from supplier to customer - activities involve the transformation of natural resources, raw materials, and components into a finished product that is delivered to the end customer - Blockchain can help organise the data stream without anyone being able to change the data --> it can change the traditional data hierarchy of a company (sensors, applications, SAP) into a more dynamic model
Positioning of frameworks & standards
- tactical = NIST (offers utility around tactical or network-level topological security) - operational = ISO (provides a set of checklists, to assess if you are being operationally thorough in your security considerations) - strategic = COBIT (useful to align security with business strategy and objectives)
Things in the IoT
- thing is an object/device capable of being identified and integrated into communication networks - Capability of communication -> exchanging data over a network between them and/or with the cloud backend services
IoT
- wide ecosystem where interconnected devices and services collect, exchange and process data in order to adapt dynamically to a context - by 2020 the number of connected devices is envisioned to reach 20 billion - almost 3 trillion dollars in new business opportunities for the different vendors and companies that capitalise on the IoT by 2020
NIST taxonomy & mechanisms for organisations
1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; 5) Communicate among internal and external stakeholders about cybersecurity risk
Challenges when aiming to secure IoT
1. Limited device resources (Majority of IoT devices have limited capabilities) 2. Security updates (Applying security updates to IoT is challenging, since the particularity of the user interfaces available to users does not allow traditional update mechanisms) 3. Fragmentation of standards and regulations (Fragmented and slow adoption of standards and regulations to guide the adoption of IoT security measures and good practices increase concerns) 4. Low cost (Manufacturers might be inclined to limit security features to ensure a low cost for IoT devices) 5. Insecure programming (Since time to market pressure for IoT products is high, this imposes constraints on the available efforts to develop security) 6. Lack of expertise (novel domain, lack of people with the suitable skillset and expertise in IoT cybersecurity) 7. Unclear liabilities (Lack of a clear assignment of liabilities might lead to ambiguities and conflicts in case of a security incident)
Benefits of international standards
1. Streamlining internal operations 2. Innovating and scaling up operations 3. Creating or entering new markets International Standards bring technological, economic and societal benefits. They help to harmonize technical specifications of products and services making industry more efficient and breaking down barriers to international trade. Conformity to International Standards helps re-assure consumers that products are safe, efficient and good for the environment.
top 5 recommendations to secure SHE/IoT for vendors, providers, etc.
1. all stakeholders should reach a consensus on minimum security requirements 2. industry actors should support security-driven business models 3. all actors should contribute to raise security awareness 4. industry actors should develop security assessement methods or frameworks, policy makers should clarify the legal aspects of SHEs 5. industry research and publicly-funded initiatives should integrate cyber security in R&D projects related to Smart home/IoT
top 5 recommendations to secure SHE/IoT for end-users
1. choose smart home device securely (verify if all features are required/research vendor's security measures) 2. operate smart gome device securely (change passwords of wifi and device & install updates) 3 use online service for smart home securely (use different passwords, control data exchange)
Evolution of cyber resilience
1. computer security 2. IT security 3. Information security 4. cyber security 5. cyber resilience
ISO 27k implementation steps
1. define information security policy 2. define scope of ISMS 3. perform a risk assessment 4. manage the identified risk 5. select controls to be implemented 6. implement controls
Framework for implementation of CSC
1. set up a core (diversified, senior mgmt, representatives from wider org.) 2. business understanding (consult with employees to identify beliefs, cultures and practices & where business processes and security measures are not aligned) 3. define goal, success criteria, target audience (to e.g. deliver training differently) 4. calculate "as-is" for gap & result analysis (to quantify impact of CSC activites) 5. select one or more activities (to close gap) 6. run selected activity (run individually if you want to quantify the impact) 7. re-run as-is & analyse results 8. review and consider your results before deciding on next action
ISO 27001 structure
4. contect of organisation 5. leadership & commitment 6. planning (plan) 7. support 8. implement & operate ISMS (do) 9. monitor & review ISMS (check) 10. maintain & improve ISMS (act)
Attacks on availability
Accessing data in the form of ransomware and denial-of-service attacks. Ransomware encrypts a target's data and demands a ransom to decrypt it.
Botnets
Almost every cyber attack is conducted by the use of botnets (connection between the server & the malware)
Vision of CSC
shape security thinking of all staff, improving resilience against all cyber threats (esp. social engineering related) while avoiding imposing burdensome security steps that prevent staff from effectively performing their key business functions
culture
shared attitudes, values, beliefs, and customs of members of a social unit or organization
Use cases of blockchain technology
smart contracts, crypto currencies, verification of supply chain, safe storage of anonymised customer data, digital identity
SHE
smart home environment
Why can an email attachment be a potential cyber security risk?
the attachment can transmit malicious software
Power of IoT
Automating as much as possible
Cyber security Culture (CSC)
the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest in people's behaviour with information technologies
VUCA
volatility, uncertainty, complexity, ambiguity
Crypto trojan
Bei Verschlüsselungstrojanern (auch „Erpressungstrojaner" genannt) handelt es sich um eine bestimmte Familie von Schadsoftware (Malware), welche Dateien auf dem Computer des Opfers sowie auf verbundenen Netzlaufwerken (Network shares) verschlüsselt und somit für das Opfer unbrauchbar macht. Die Ransomware zeigt danach dem Opfer einen „Sperrbildschirm" an, wobei dieser das Opfer auffordert, eine bestimmte Summe in Form von Bitcoins (eine Internetwährung) an die Angreifer zu bezahlen, damit die Dateien wieder entschlüsselt werden.
CEO fraud
CEO fraud involves the impersonation of a senior company executive in order to divert payments for goods and services into a fraudulent bank account. Fraudsters will typically target a company's finance department, either via email or over the phone.
Espionage
Espionage or spying is the act of obtaining secret or confidential information without the permission of the holder of the information.
DDoS attack
Distributed Network Attacks are often referred to as Distributed Denial of Service (DDoS) attacks. This type of attack takes advantage of the specific capacity limits that apply to any network resources - such as the infrastructure that enables a company's website. The DDoS attack will send multiple requests to the attacked web resource - with the aim of exceeding the website's capacity to handle multiple requests... and prevent the website from functioning correctly.
ICT standards - why?
Governance and management of IT has become more complex and more crucial to enterprises. Effective IT governance and management is best enabled by adopting globally defined and proven standards and frameworks. Standards can help organizations to meet regulatory requirements.
CIS controls
IT Security leaders use CIS controls to quickly establish the protection providing the highest payoff in their organisations
Difference tangle and blockchain
Instead of a blockchain, which brings the data into a temporal structured form, the data in the tangle is stored in a directed acyclic graph. Responsible for this are not just any nodes, but every participant who wants to store a data set in the tangle. A new data set ("Tip") is signed by private key (owner), then the tangle connects it to two random tips. The algorithm checks those two tips, if correct those two and the tip are signed using a hash puzzle ("Proof of work") and later added to the tangle.
Goal of CSC
Making information security considerations an integral part of an employee's job, habits and conduct, embedding them in their day-to-day actions
Hacktivism
Marriage of hacking and activism. It is the use of computer technology to achieve a political agenda through legally ambiguous means.
Should conditionalised access be based on IP address ranges?
No, IP address ranges can be easily manipulated and impersonated
Proof of work (PoW)
PoW mechanism uses the solution of puzzles to prove the credibility of the data. The puzzle is usually a computationally hard but easily verifiable problem. When a node creates a block, it must resolve a PoW puzzle. After the PoW puzzle is resolved, it will be broadcasted to other nodes, so as to achieve the purpose of the consensus.
Mining
Processes: - Collect transactions and form a block - Check that the transactions are correct. - Adding the hash value of the last block - Calculating a hash value for the whole block (hash puzzle) - Add to the blockchain
ProtonMail
ProtonMail is an end-to-end encrypted email service founded in 2014 at the CERN research facility. ProtonMail uses client-side encryption to protect email contents and user data before they are sent to ProtonMail servers, unlike other common email providers.
asymmetric encryption
Public-private key encryption, where the public key is known to the public and the private key is not
MELANI
Reporting and Analysis Centre for Information Assurance
Attacks on integrity
Sabotage: Corrupt, damage, or destroy information or systems, and the people who rely on them. From typo's here and there to slash and burn campaign of sabotage against a target. Perpetrators can range from script kiddies to nation-state attackers.
SETA
Security Education, Training and Awareness
Getting started with CSC
Senior management support (and their budget) is absolute key! Create a business case: three sources of evidence: 1. wider sector-based statistics on current cyber threats 2. evidence drawn from your cyber security team 3. self-controlled results of a pilot CSC intervention
Possible IoT devices
Smart bulb, fridge, tv, doors, camera, heating, washing machine, mobile
Social engineering
Social engineering is any act that influences a person to take an action that may or may not be in their best interest
Advantage of standards
Standards provide a common set of reference points to evaluate whether an organisation has controls in place (e.g. processes, procedures, manual activities) that meet an agreed minimum requirement. If an organisation is compliant/meets a certain standard then it gives third parties (e.g. customers, suppliers, partners) confidence to an organisation's ability to deliver to that standard. Could be a competitive advantage. If an organisation is not compliant to a standard but victim to a security breach then it could face potential law suits from those customers impacted by that breach.
attacks on confidentiality
Stealing, or rather copying, a target's personal information is how many cyber-attacks begin. - credit card fraud - identity theft - stealing bitcoin wallets
2FA
Two-factor authentication (2FA) is a security process in which the user provides two authentication factors to verify they are who they say they are. Must comprise two different authentication factors.
Defacements
Website defacement is an attack on a website that changes the visual appearance of a website or a web page. These are typically the work of defacers, who break into a web server and replace the hosted website with one of their own.
Who should use NIST?
While the Framework was designed with Critical Infrastructure (CI) in mind, it is extremely versatile and can be used by organizations regardless of sector or size. With built-in customization mechanisms (Tiers, Profiles, and Core are all modifiable), the Framework can be customized for use by any type of organization. Because the Framework is outcome driven and does not mandate how an organization must achieve those outcomes, it enables scalability. A small organization with a low cybersecurity budget, or a large corporation with a big budget, are each able to approach the outcome in a way that is feasible for them.
Hacking
activity of illegally using a computer to access information stored on another computer system or to spread a computer virus
definition cyber incident
an incident is an adverse event in an information system including the adversing threat for the information system owner
TTPs - tactics, techniques, and procedures
behaviour of an actor. A tactic is the highest-level description of this behaviour, while techniques give a more detailed description of behaviour in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique
blockchain 1.0-3.0
blockchain 1.0: bitcoin blockchain 2.0: smart contracts blockchain 3.0: decentralised autonomous organisation
cryptocurrency
digital currency/payment system
Cyber incident response planning
focuses on detection, response, and recovery to a computer security incident or event
Security breach
identity theft customer data
Phishing scam
identity theft personal data
ISMS
information security management system
How to choose the right standard/framework
look at similar businesses, analyse what the company's needs are (risks, issues, etc.)
Smart contract
machine-readable code which contains legal obligation
Contingency planning
normally applied to information systems, and provides the steps needed to recover the operation of all or part of designated information systems at an existing or new location in an emergency
Continuity planning
normally applies to the mission/business itself; it concerns the ability to continue critical functions and processes during and after an emergency event
ISO27k compliance auditing
particular form of auditing with a very specific goal: to assess whether the audited organization is fulfilling the obligations laid down in ISO/IEC 27001 in respect of its ISMS.
Top IoT threats
personal data leakage, enter the house/physical theft, hijack a device (domestic abuse), financial theft, manipulation of configuration settings for sensors, manipulation of configuration settings for actuators, DDos using IoT botnet, ransomware, injection of demands into device