Cyber Security

BCS

British Computer Society lead the IT industry through its ethical challenges, to support people who work in industry & make IT good for society. ensure digital journey is safe and positive - raising standards of competence and conduct across the IT industry, tackling ethical challenges - supporting careers, share expertise, improving education, influencing practise, driving standards

ISO 22301

Business Continuity Management

Eradication

Removing malicious code, accounts, inappropriate access & remediating vulnerabilities that may have been cause of incident - remove root cause of incident

Legal

Response to attack Fines, penalties GDPR, ICO

Security controls that relate to people, process & technology

People - staff training, awareness, professional skills, qualifications, competent resources, specialised staff, strong passwords, access mgmt. policies (least privilege) Process - mgmt. systems, governance frameworks, audit, best practise, respond quickly to incidents, backups, incident response plan, prioritisation of assets Technology - monitoring (logs), device hardening, disable unused ports/applications, report, IDS/IPS, penetration testing, vulnerability scanning, AV/AM, firewall, biometrics

Risk

Probability of exposure or loss resulting from a cyber attack/data breach on your organisation - potential that given threat will exploit vulnerabilities or an asset or group of assets & cause harm to organisation - ISO 27002 - possibility that an incident may cause disruptions, damage or data loss - THREAT, LIKELIHOOD & IMPACT - threat X vulnerability

Proxy firewall

dual (2 interfaces), segments internal users from outside world, cache requests (increase speed), NAT (masks IP address - increase security)

Relationship between BCM & incident mgmt.?

Both have an end goal of allowing an organisation to go back to normal, carry out their normal daily tasks - incident mgmt. = mitigate impact/manage incident, business continuity = recover business operations - identification, containment, recovery - redundancy = BCM

BSI

British Standards Institute - product certification - e.g. CB, CCA, ENEC mark, CEN mark - personal training & certification - e.g. Quality ISO 9001:2015, Health & Safety ISO 45001, Information Security ISO/IEC 27001:2013 - consulting practises - e.g. cyber security & information & resilience - systems assessment - produces standards across wide variety of industry sectors - drive & control audit & review processes & practitioners

ISO/IEC 27002

Code of practice for information security controls - code of pratcise for information security mgmt Helps organisations consider what they need to put in place to meet requirements of 27001 Supports implementation of ISMS based on requirements of ISO 27001 Collection of information security guidelines to help organisation implement, maintain & improve its information security mgmt - recommendation for those that are responsible for selecting, implementing & managing info security

Information disclosure (privacy breach, data leak)

Not compliant with local & regulatory framework - e.g. GDPR - large fines - disclosure of personal/sensitive data (confidentiality - kept private, only see by authorised individuals but will be seen by unauthorised individuals) Attacker gains valuable information about a system & can use to their advantage Reputation damage - loss of business, financial damage/loss Identity theft - personal, sensitive data Disruption to business Exposing information to those not authorised to see it - confidentiality At rest, in transit * confidentiality

Timeline analysis data sources

o audit o event logs o file change timestamps and metadata - correlate activity (MTF, Inode) - incident response

Vulnerabilities examples

o buffer overflow o lack of encryption - cipher, key o lack of patch management o poor staff security awareness o weak passwords Misconfigured devices - e.g. traffic that should be blocked may be allowed through, allow malicious code to be displayed & downloaded from the internet, rogue AP used to capture traffic, credentials

Risk management process (5)

o identify hazards (hazard risks, operational risks, financial risks, strategic risks) - project risk register - impact, likelihood, level of risk, treatment, personnel, review date(ongoing database of risk), hazard = anything that may cause harm o assess hazards to determine risks - severity (prioritise), likelihood, impact on business goals, objective o develop control measures that eliminate hazard or reduce risk - benefits should outweigh cost o implement controls that eliminate hazards or reduce risks o evaluate effectiveness of controls & adjust/update as necessary - monitoring, enforce standards/controls, lessons learned ** identification, assessment, prioritisation of risk & mitigation, monitoring of risk (info assurance), depends on company's risk tolerance: industry, value of data, ability to recover ** identify & mitigate risk

IDS

passive, log, alert, e.g snort, spam filter, monitor incoming & outgoing traffic - spot known attack signatures or anomalies ○ Behaviour based - variations in behaviour ○ Signature based - attack signatures, audit trails, DB ○ Anomaly detection - learns what's 'normal', looks for deviations from baseline ○ Heuristics - algorithms to analyse traffic as it passes through

Benefits of timeline analysis

presents complex data in a more human friendly accessible format

Timeline analysis

process of collecting and analyzing event data to determine when and what has occurred on a filesystem for forensic purposes.

Emergent attack techniques, hazards, vulnerabilities

* constantly changing threat environment - changes in technology, social/economic situations, politics, attack methodologies - monitor info sources - news feeds, alerts, academic research, hacker forums - evaluate potential emergent attacks against known techniques ** financial gain (organised crime), political gain (APT, hacktivists, terrorists), kudos (script kiddies), economic competition, disgruntled employees

3 components of risk

* threat - cause of incident resulting in harm to system or organisation (ISO 27002) * likelihood * impact - result of info sec incident, caused by threat which affects assets (ISO 27005)

Non repudiation

Ensures that individual, entity or process cannot deny an action - system provides proof of action - e.g. receipt of message, authenticity of signature on document

General attack

No specific target

Packet filtering firewall

allow/block traffic based on port, no intelligence, easy to set up L3

How is a signature or correlation rule created in response to these events?

• intrusion events • malware events • abnormal user activity • traffic profile changes

COBIT

** Control Objectives for Information and Related Technology Framework created by ISACA (Information System Audit & Control Association) for IT governance & mgmt. - regulatory compliance, risk mgmt. & aligning IT strategy with organisational goals Ensures quality, control & reliability of information systems in an organisation Practise better risk mgmt. practises associated with IT processes Guarantees integrity of information system Information mgmt.. & governance Developing, implementing, monitoring & improving IT governance & mgmt. practises Set of controls to mitigate IT risk - planning & organisation, delivery & support, acquiring & implementation, monitoring & evaluation - meeting need of stakeholders - covering whole enterprise end to end - application of ingle integrated framework - ensure holistic approach to decision makig - separate governance from mgtm

BCM lifecycle

** ISO 22301 - impact analysis - Business Impact Analysis (critical & non critical organisational functions, determine effects of interruption to critical business operation due to disaster, accident or emergency, single points of failure removed), Threat & Risk Analysis (recovery steps) - solution design - identifies most cost effective disaster recovery solution that meets requirements from IRA stage - implementation - executing agreed strategies through process of developing BCP - testing & organisational acceptance - ensure it meets organisation's requirements - maintenance - ensures plans remain aligned with current business practises (confirmation of info - roll out to staff for awareness, training, testing & verification of technical solutions for recovery operations, testing & verification of recovery procedures)

Common causes of security incidents

** anything that may compromise security** - weak & stolen credentials (authentication) - use complex passwords, never share passwords - back doors - bypass normal security controls, patch mgmt & keep everything up to date - application vulnerabilities - exploited, importance of patch mgmt - malware - keylogger, ransomware, adware etc, exploit vulnerabilities - social engineering - gain access to credentials, sensitive/personal info, training/awareness, phishing, manipulation - inappropriate permissions granted/AC - root/admin, keep permissions at minimum for each user - insider threats - disgruntled employee, access to sensitive data - physical attacks - physical security of building - improper configuration - vulnerabilities, patches, user error - unpatched systems - unmanaged systems - insecure media, data storage - lack of user training/awareness - poorly coded software - physical breach, malware, data breach, DoS

Information security policy

** needed for information security - framework of policies & procedure inc all legal, physical & technical controls involved in organisation's risk mgmt. process - set of policies issued by an organisation to ensure all users comply with rules & guidelines related to security of info - protect assets - establish general approach to info security - protect reputation of company - legal, ethical responsibility - observe rights of customers to responding to queries concerning compliance - all data, programs, systems, facilities, user, third parties in organisations - CIA - rules & procedures for all users accessing & using organisation's assets & resources - hierarchical - apply differently to different members of organisation (e.g. higher members of staff have access to more sensitive info) - objectives, scope, goals, compliance, actions to be taken in event of non-compliance - risk assessment - increased accountability, awareness, efficiency - organisation's approach to IA - mgmt, awareness - how to deal with breaches - support of board & CEO

How can poor security mgmt. impact an organisation?

- attackers exploiting vulnerabilities - reputational damage - financial loss - disruption to business - failure to comply with regulations - e.g. GDPR (reputational damage, large fines, loss of business) - intellectual property is vulnerable - damaged intellectual property

Consequences of poor BCM

- business failure - financial loss - reputational damage - reduced productivity, disruption to business - non-compliance? - loss of data

Impact of poor information governance

- compromises ability of businesses to be more effective, productive, secure, compliant, profitable - data may get lost, become inaccessible - breaches, privacy - legal, compliance risks - reputational damage, fines - hackers get hold of personal/sensitive info

How to scope a response given the objectives for the system under threat

- critical assets - logging - IT infrastructure - technical expertise

How do audits & reviews contribute to effective security mgmt..?

- identify risks/vulnerabilities/weaknesses - put in place appropriate security measures to mitigate risk - increase security awareness - alter policies, standards if necessary - in depth analysis of internal/external IT practises & system - ensures effective mgmt. of information systems

How can risk assessment & management benefit an organisation?

- increases security of organisation - less disruption to business - increased awareness of employees - identify vulnerabilities in system - focus on ones that are critical & pose risk to most important assets - documentation - put in place security measures to eradicate vulnerabilities & strengthen security of organisation - understand financial risk or potential exploits - PII - improved decision making - development of new policies - ensure business is compliant with regulations & standards - e.g. GDPR

Penetration testing

- intrusive - evaluate security footprint of organisation - actively simulate attack to find weaknesses/vulnerabilities - verify, bypass, test, exploit - exploit vulnerabilities in system - ethical hackers - password cracking, buffer overflow, SQL injection - compromise & extract data from network - completed by experienced, technical individuals - MANUAL - conducted by 3rd party - objective - reports - description of attacks used, testing methodologies, suggestions for remediation - more accurate, rule out FP, time consuming (deep examination of network security), expensive - operate at application, network level or specific to function, assets, all infrastructure, applications - define scope based on risk & importance of asset - carry out after system changes made & at regular intervals - white box (prior knowledge, quality assurance), black box (no prior knowledge, simulated attack methods), grey box

How does security awareness & training provide benefits to maintenance of information security?

- less security breaches - educated staff increases compliance - increased knowledge & awareness, confidence - protect assets - security focused culture - regular training - prevent downtime - increased adoption of policies - protect company reputation - save time & money - recovering from an incident - improved defence against phishing, social engineering, whaling (target high level user - CEO)

Vulnerability scanning

- non-intrusive (no disruption) - can be performed with/without credentials - automated - passive - doesn't go beyond reporting vulnerabilities detected (staff's responsibility to patch, install security tools etc) - identify vulnerabilities, identify lack of security controls - patch/updates, unnecessary applications, weak authentication, insecure remote access, compliance with security policy & procedures - performed with penetration testing - observes & reports on findings - info on how to fix problem, baseline of current known vulnerabilities - doesn't take down systems, applications or services - identify known vulnerabilities/weaknesses in system that could be exploited - firewall, router, switch, server, applications - identify, assess, remediate - affordable, automatic, false positives, businesses manually check each vulnerability before testing again - can't find zero-day exploits - e.g. Nessus, retina, nmap, SAINT, QualysGuard, GFI LAN Guard, Microsoft Baseline Security Analyser - interprets results, identify common misconfigurations

Why is cyber security important to SME's & large cooperations?

- reputation of business - customers take business elsewhere - protection of sensitive/personal data/assets - PII, bank details, marketing plans - ensure compliance (acting in accordance with set of rules, regulation or policy) with local & regulatory framework (e.g. GDPR)\ - laws - DPA, regulations - GDPR - new threats that haven't been discovered yet, no security measures in place to protect against these - greater intelligence of hackers - communication - email (if compromised - large impact on productivity of business) - financial damage of cyber attacks - damage to 3rd party companies supplied or connected to - software, hardware, intellectual property - availability of hacking tools/programs - less skilled hackers - assist in overal mgmt of security within organisation - develop security strategy & goals

Processes to provide information assurance

- staff awareness/training - backups - configuration hardening (updates, unnecessary applications/services removed, patched)

Benefits of ISMS

- store info in all its forms - digital, paper based, cloud - increase attack resilience - reduce likelihood of data breach occurring - manage all info in 1 place - central framework - respond to evolving security threat - reduce costs associated with information security - risk assessment, analysis approach - protect confidentiality, integrity, availability of data - policies, procedures, technical & physical controls - improve company culture - employees understand risks & embrace security controls - down time decreases, no. of security incidents decreased, compliance - increase in customer satisfaction

Incident response stages

1. Preparation - identifying the start of an incident, how to recover, how to get everything back to normal, and creating established security policies, incident response plan, awareness/training, define role responsibilities, develop defence in depth strategies 2. Identification - Level 1 - Unauthorized Access Level 2 - Denial of Services Level 3 - Malicious Code Level 4 - Improper Usage Level 5 - Scans/Probes/Attempted Access Level 6 - Investigation Incident - level of impact, direct containment & mitigation efforts, analyse of event & log files from IDS, firewalls, routers, switches, directory servers 3. Containment - limit the scope and magnitude of the issue, Protecting and keeping available critical computing resources where possible, ensure it doesn't spread & affect other areas of the business, limit loss Determining the operational status of the infected computer, system or network (Disconnect system from the network and allow it to continue stand-alone operations, Shut down everything immediately, Continue to allow the system to run on the network & monitor activities) 4. Eradication - getting rid of the issue (running AV, uninstalling infected software, rebuilding OS, replacing HD, disable affected accounts, shut down ports/protocols), eliminate root cause of breach, updates, patch mgmt 5. Recovery - returning to normal functionality, backups 6. Lessons learned - +ves & -ves of response plan, identify gaps, increase preparedness - investigation? logging - impact assessment

Information security architecture

A design that addresses the needs & potential risk of a particular environment - relationship between components inside IT architecture & how they depend on eachother - architecture risk assessment - assets, likelihood & effect of vulnerabilities & threats - security architecture & design - of security services, facilitate business risk exposure objectives - implementation - security services & processes implemented, operated & controlled - operations & monitoring - security controls - protect information assets - understand fundamentals of how it relates to overall enterprise security architecture, business models, risk appetite - access to network resources & running of IT systems in support of business ** business requirements, risks to assets (critical), BIA, CIA of assets, laws/regulations/codes of practise that must be adhered to

Repudiation

Ability of a user or attacker to deny having performed an action or activity * non-repudiation (assurance that someone cannot deny something - e.g. authenticity of their signature on a document or sending of a message they originated) - reduce repudiation by carrying out audit logging

Purpose of the PASTA threat model

Align business & technical objectives, considering compliance issues & business analysis. Provide dynamic threat identification, enumeration & scoring process Detailed analysis of identified threats produced & appropriate security controls enumerated

Elevation of privilege

An attacker gains higher permissions than those initially granted - admin/root access rights & exploits vulnerabilities Spoofing user with higher privileges, tampering with the system to change their own privileges Gain capabilities without authorisation Take advantage of buffer overflow attack to gain root level privileges on system Steal sensitive data, disrupt operations, create backdoors for future attacks, run admin commands, deploy malware * authorisation - vertical - hacker takes over someone else's account (e.g. learn U & P), access functionality & data of another user - unauthorised access - horizontal - malicious user gains access to lower level account & uses it to gain higher level privileges, exploits vulnerabilities in system, escalation for standard users * patch mgmt to prevent - hardening

Hazard

Anything that proposes a threat to a computer's security, performance or functionality - e.g. IoT, ransomware - no body is to blame for occurrence - fire, flood, earthquake, storm etc

Fuzzing

Application attack application designers, testers, find bugs, hackers use to identify zero-day vulnerabilities (crash applications) - e.g. Kali Linux has fuzzing tools built in

DoS attack

Disruption to business - loss of productivity Financial loss Deny access to legitimate/intended users - unusable/unavailable - target system freezes/crashes - flood communication - remove legitimate traffic Temporarily or indefinitely disrupting services of a host connected to Internet Flood servers, systems, networks or services with traffic - overwhelm victim's resources & make it difficult or impossible for legitimate users to access them (unavailable - competitive advantage) Take advantage of vulnerability - patch Motivation = cause harm e.g. SYN flood, buffer overflow, smurf (ping - broadcast address), fraggle (UDP - broadcast), land (identical S&D), ping of death - reduction in network performance - accessing website - specific website unavailable - site cannot open or not found - inability to access website - websites inaccessible on network - high volume of email spam * availability - zombie, bot, botnet - malware that infects numerous systems controlled by hacker, bot master/herder, C2

Risk IT

End-to-end comprehensive view of all risks related to use of IT & risk mgmt. Framework based on set of guiding principles for effective mgmt.. of IT risk Complements COBIT Framework for enterprises to identify, govern & manage IT risk Enable enterprises to understand & manage all significant IT risk types - connects to business objectives - align mgmt. of IT related business risk with overall enterprise risk mgmt. (ERM) - balance cost & benefits of managing IT risk - promotes fair & open communication of IT risk - tolerance levels - continuous process ISACA

Confidentiality

Ensures info is kept private & only visible to individuals that are authorised to see it (restricts access to this group only) Access control (time of day, trusted OS), encryption, permissions, MFA, biometrics, VPN - assurance, availability, ID theft (sensitive/personal data) - store, in transit

Integrity

Ensures that data hasn't been altered by unauthorised parties Maintains consistency, accuracy & trustworthiness of data Hash - mathematical algorithm applied to file, folder or entire disk, verifies integrity - should be the same - unauthorised modification of data - assurance, confidentiality - non repudiation, encryption - access control, permissions - digital signature - transit

Availability

Ensuring that data is available so that when an authorised person needs to access it, they can access it easily - proposes risk or hazard if data is made available to users that aren't authorised to see it - links to confidentiality (supposed to be private) - unauthorised modification of data - ID theft - identity - backup, recovery - redundant systems - access control/permissions - VPN - hot/warm/cold sites, fire procedures - links to assurance - data not protected - server clusters

Security auditing

Evaluating security of a system (current security measures in place) & measuring performance against established criteria (e.g. security framework - ISO 27001) - identify risks - report - strong security, vulnerabilities - ensure security measures are up to date so incidents can be responded to as effectively as possible - routing security assets to ensure data & assets are protected - review policies & procedures - assess security of system's physical configuration & environment, software, information handling processes, user practises - determine regulatory compliance - improved patch mgmt., improved software, hardware configuration - internal/external

Stateful Packet Inspection firewall

Filters traffic based on the source or destination IP address, the protocol, and the source or destination port number but also looks at the context of the traffic to determine if the packet is supposed to be received at that point. - examines packet, state table, context/active connections, only packets from known active connections allowed - keeps packet table of every communication channel - tracks entire conversation - only packets from known active connections are allowed

How information security architecture interacts with other enterprise architectures

It is a continual process that should be reviewed constantly - security design constantly evolving

Information Security Management System

Help organisations manage their info security processes in line with best practises, while optimising costs 'A centrally managed framework for keeping an organisation's information safe' - set of policies & procedures for systematically managing organisation's sensitive data - minimise risk & ensure business continuity by limiting impact of security breach - describe & demonstrates organisation's approach to Information Security - applies to all organisations - policies, procedures & controls involving people, processes & technology to help organisations protect & manage all their data - compliance - systematic approach that includes people, processes, technology to help protect & manage organisation's info through effective risk mgmt. - CIA - compliance with laws - GDPR - ISO 27001 - international standard that provides specification for ISMS - requirements(suggestions for documentation, internal audits, continual improvement, corrective & preventative action)

Business Continuity Management

Holistic mgmt. process that identifies potential threats to an organisation & assess impacts to business operations & that provides framework for building organisational resilience with capability of an effective response that safeguards interests of its key stakeholders, reputation, brand, & value-creating activities. - having a plan in place to ensure that the business can function normally with as little disruption as possible - identify critical assets/activities & the risks - risk mgmt designed to address threat of disruptions to business activities/processes. - respond to & recover from threats as effectively & quickly as possible - working through disruption whereas disaster recovery is about resolving disruption - prevent impact on brand, image, reputation of organisation (confidence of customers) - prevents downtime - effectively & continually manage BCM risks & adopt integrated approach to managing business continuity - risk mgmt. - ensures compliance - resilience of organisation - mitigates financial risk - enable recovery of critical system within agreed timefrane - saves lives - fire, evacuation drills - address threat of disruptions to business activities/processes - disaster recovery takes over if business is disrupted

Risk assessment

Identify vulnerabilities (risks) in a system, analyse & evaluate risk associated with the vulnerability, determine appropriate ways to mitigate it (controls) - vulnerabilities quantified & prioritised based against current threat profile - exposure from threats, hazards - ISO 27001 - international standard that provides best practise for ISMS - identifies assets that could be affected by cyber attack/risk 1. establish risk mgmt framework - rules that govern how organisation will identify risk, who the risk will be assigned to and how the risks will impact the confidentiality, integrity and availability of the organisation's information. 2. identify risks that could affect CIA of information 3. impact & likelihood values assigned to each risk based on risk criteria. Impact types - human, financial, legal, regulatory, reputational,operational. Likelihood factors - freq of occurrence, previous occurrence, current levels of security control, size of attack group & knowledge of vulnerability. 4. evaluate/prioritise risks 5. risk treatment options - Avoid risk by ending activity or circumstance causing the risk. Modify risk by applying security controls to reduce likelihood or vulnerability. Sharing the risk, by insuring or outsourcing it. Although you would typically still suffer the impact, you can share the risk with someone better able to mitigate it. Retaining the risk if it falls within your risk acceptance criteria. - terminate risk - mitigate risk - accept risk

IAAC

Information Assurance Advisory Council - development of policy recommendations to government and corporate leaders - free workshops - address information assurance, ensure users feel confident when using digital products & services - govt., private sector, academia need to work together to address information assurance - create & maintain secure information society - drive & control audit & review processes & practitioners

ISSA

Information Systems Security Association International - drive & control audit & review processes & practitioners - not-for-profit, international organization of information security professionals and practitioners - provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members - promote secure digital world - global scale

IoT

Internet of Things - increased threat landscape - new technology - bugs, may not be properly secured - weak passwords - insufficient authentication - access to sensitive data - botnets

web application firewall

L7, analyse traffic to web server (specific rules), SQL injection attacks, SXX (Cross site scripting), forged HTTP requests, e.g. Cisco

Inode

Linux Entry in inode table, contains info (metadata) about regular file & directory Data structure on traditional Unix-style file system Stat etc/resolve.conf - display inode number of etc/resolve.conf file new file created - assigned inode number & file name - both stored as entry in directory

What is a correlation rule?

Logical expression that causes a system to take a specific action if an event occurs Set of conditions Combination of symptoms & causes

How to write a signature or correlation rule

Logical expression that causes the system to take a specific action if a particular event occurs - set of conditions - e.g. if user fails more than 3 login attempts on same computer within an hour, alert is triggered

Targeted attack

Malicious cyber attack targeted to specific individual, company, system or software - not widespread attacks - e.g. spear phishing - targeted at CEO of company, targeted phishing attack

Spoofing of user identity

Malicious party impersonates a device/user on network - e.g. brute forcing user's username & password Gain access to personal/sensitive info of the organisation - take advantage Spread malware, launch DoS attacks, capture credentials, take advantage of access rights, malicious host set up to capture user's credentials * authentication

Cross-site scripting (XSS)

Malicious scripts injected into trusted websites - injection attack Technique used to hijack sessions - non persistent (email, blog post - URLs) or persistent (server based - execute by visiting infected website) so attacker doesn't need to actively target user - User sent email containing malicious link, URL sent to legitimate site & malicious code which executes in victim's web browser, attacker could issue additional requests to legitimate server (e.g. Post data to other ports) - attacker can compromise user's interaction with application when malicious code executes - access personal/sensitive data Browser runs malicious code - served from a site it trusts - input validation - primary defence against XSS - fuzzing - identify vulnerabilities - client & server-side validation - client-side can be bypassed - exploits trust browser has in web server - identitu theft, financial loss, key logging - java script being injected

Information governance

Managing corporate info by implementing processes, roles, controls & metrics that treat info as a valuable business asset - continual monitoring & scrutiny of security by an approved external accreditation body - govt or approved body (e.g. BSI) ** relationship between information use & information security - mgmt of information at an organisation - make information assets available to those that need it, streamlining mgmt., reduce storage costs, ensure compliance - provide employees with data they can trust & easily access while making business decisions - good cyber security built on good information governance - organisation's technologies, policies, processes, controls & strategies implemented to optimise info in order to meet business needs, legal & industry regulations & minimise risk - know the data you possess, what form the data is in, why you have the data, where the data resides, how and by whom the data is used, and when and how the data will be destroyed.

Systematic attack

Method, organised, plan - e.g. Dos, DDoS

Harm

Negative outcome due to damaged caused by cyber threat

PASTA model

Process for Attack Stimulation & Threat Analysis ** focus on point of view of attacker ** define objectives, requirements, procedures for security operations ** scoring process ** goal = align business objectives with technical requirements while taking into account business impact analysis & compliance requirements. ** output = threat management, enumeration, and scoring. - define objectives - business objectives, security & compliance requirements, BIA - define technical scope - capture boundaries of technical env, infrastructure, applications - app decomposition - identify use cases - app entry points, actors, assets, services, roles, data sources - threat analysis - attack scenario analysis, threat intelligence correlation & analytics - vulnerability & weakness analysis - existing vulnerability reports, issues tracking, scorings, enumerations, threats to existing vulnerabilities - attack modelling - attack surface analysis, attack trees - risk & impact analysis - business impact, risk mitigation

Information assurance

Protecting against & managing risk related to use, storage & transmission of data & information systems Measures that protect & defend info by ensuring their: - availability, integrity, authentication, confidentiality, non-repudiation - measures include providing restoration of information systems by incorporating protection, detection & reaction capabilities - aka risk mgmt. when dealing with software & hardware

Containment

Return to normal functionality as quickly as possible whilst enabling analysis of attack & making plans for remediation - e.g. changing a password

Controls

Software, hardware, rules, or procedures that reduce or eliminate the threats to network security - procedural - administrative (laws, regulations - guidelines, policies, standards, practices, guidelines, procedures) - security policy, AU, password, remote access) - physical - guards, CCTV, signs, fencing, locks, alarms - technical - firewall, IDS/IPS, encryption, ACL, group policy, AV, network devices - preventative - deterrant - directive - detective - reactive - compensating

ISO/IEC 27001

Specification for ISMS - requirements (framework of policies/procedures that includes all legal, physical & technical controls involved in an organisation's information risk mgmt. processes) - define security policy, define scope of ISMS, conduct risk assessment, manage identified risk, select control objectives & controls to be implemented, prepare statement of applicability - manage & protect info asset - ensures compliance, protect all forms of information (digital, paper, cloud), reduce costs, increase attack resilience, respond to evolving security threats, improve company cuture - details of documentation, mgmt responsibility, internal audits, continual improvement, corrective & preventive action ** International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC)

STRIDE model

Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege ** focus on point of view of attacker ** Microsoft

Phishing attack

Steal personal/sensitive info/credentials - credit card numbers, DOB, address etc by email - non taregted, wide spread attack against network - spear phishing - targeted phishing campaign, looks like it comes from someone of position of authority in target company (CEO), inside information to make it more believable - smishing, vishing, social engineering, spoofing

Assurance

Steps involved to protect information systems - ensure data is kept confidential, available & not modified - positive acknowledgement to provide confidence - degree of confidence that security needs of system are satisfied - information security framework in place - ensure appropriate mechanisms in place to manage info & system assurance

SQL injection attack (SQLi)

Structured Query Language (modify SQL query that's passed to web application, SQL server etc), add code into data stream (bypass login screens, vulnerable websites return U/P with right SQL injection), cause application to 'throw' error & crash (attacker has remote access) - modify SQL requests - common SQL DB - MS SQL, MySQL, Oracle, PostgreSQL, DB2 - common NoSQL DB - big data, large unstructured data sets, MondoDB, CouchDB, Google BigTable - unexpected input into web applications to gain unauthrosied access to backend DB - exploits vulnerabilities in scripts between front end & back end DB - input validation - limit amount/type of data used in forms - limit account privileges - service accounts used by DB should have least amount of privilege

Threat models

Systematic and structured way to identify and mitigate security risks in our software - identify, communciate, understand threats & mitigations within context of protecting something of value - potential threats can be identified, enumerated & prioritised - plan & optimise network security operations - use when there is a change in the system's architecture, after security incident occurs, new vulnerabilities introduced, when architecture is ready - documentation provides system analyst & defenders with complete analysis of attackers profile & most likely attack vectors & assets most desired by attacker - description of what you're worried about, list of assumptions, list of potential threats to system, list of actions taken for each threat, validate models & threats, verification of success of actions taken

Exploit

Taking advantage of a vulnerability/weakness in the system - patches are issued

Exploitation

Taking advantage of vulnerabilities Identify weaknesses in system - patch mgmt. Penetration testing?

Internal/external threat

Threat - cause of incident that could cause harm to a computer system (ISO 27002) - undesirable consequence Internal - insider (admin access, remote access, shared resources/classification of resources, systems/applciations available), disgruntled employee, accidental/intentional External - malware, phishing, DoS, ransomware, script kiddies, hacktivists, organised crime, terrotists, APT, competitors - accidental, deliberate, hazard (natural disaster)

Tampering

Unauthorised modification of data - malicious In transit, at rest * integrity

UTM

Unified Threat Management NGFW All-in-one security appliance AV, IDS, Content/URL Filtering, Malware Detection, DLP File signature, heurestics/anomalous behaviour, sandboxing, virtualizing - advanced malware tools

Identity

User's given access to specific resources based on their access rights - role based access control (authorisation) - only given access to resources necessary for job role - property/proof of an individual or resource that can be used to uniquelt identify that individual or resource

VAST model

Visual, Agile & Simple Threat modelling - supports enterprise-wide scalability - Software Development Life Cycle - integrates into Agile software development methodology - discover, design, develop, test - automation, integration, collaboration - workflow diagrams to illustrate threats, assets, vulnerabilities, remediation tools - provides actionable outputs for unique need of stakeholders - application threat models use process flow diagrams - architectural point of view - operational threat models - created from attacker's point of view based on data flow diagram

Vulnerabilities

Weaknesses (of asset) that have the potential to be exploited by unauthorised individuals/hackers/attackers or threats - ISO 27002

MTF

Windows Master File Table Contains entries for every file & directory

Trike model

a risk-based approach with distinct implementation, threat, and risk models - open source - security auditing from perspective of risk mgmt. - acceptable level of risk defined to each asset class - asset, roles, application, risk exposure - spreadsheet, desktop application - real time analysis - model against flexible scenarios

IPS

active, takes action to prevent (e.g block IP address), false +ves block legitimate traffic - signature, anomaly, behaviour indicators ○ Analyzer - generates alerts, processes data collected from 1 or more sensors, looks for suspicious activity ○ Data source - raw data analysed - log files, audit logs, system logs, network traffic etc. ○ Event - indication that suspicious activity has occurred (trigger alert) - confirmed, event becomes incident Manager - IDS console - manage system ○ Notification - operator (user, admin) alerted to event/incident ○ Sensor - primary data collection point for IDS - react dynamically to threats - firewall works on fixed rule sets

Man in the Middle attack

attacker intercepts communication between 2 systems (e.g. Email, web surfing), eavesdropping, packet sniffing, packet capturing software (e.g. Wireshark), gain access to data being sent between 2 parties, exploits real time processing of transactions, conversations, transfer of data - redirects traffic then passes it to destination - ARP poisoning, DNS cache poisoning - session hijacking

ISO/IEC 27005

information security risk mgmt. standard - international standard that describes how to conduct information security risk assessment in accordance with requirements of ISO 27001 - risk mgmt - identify & assess risk, likelihood & impact, priority order for risk treatment, stakeholder involvement in risk mgmt decisions, effectiveness (monitoring), staff awareness of risk & action taken to mitigate - context establishment - how risks identified, who is responsible for risk ownership, how risks impact CIA of information, how risk impact 7 likelihood are calculated - risk assessment - info assets, identify threats & vulnerabilities, impact & likelihood, evaluate risk based on predetermined levels of acceptability, prioritisation of addressing of risks - risk treatment - avoid, modify, share, retain - risk acceptance - policies, goals, objectives, shareholder interests - risk communication - who is responsible for implementing risk mgmt - risk monitoring & review - input, action, implementation guidance, output

Firewall

isolate 1 network from another, hardware/software, standalone or integrated into equipment (router, switch), block traffic from entering network (corporate, home) Placed internally to segment 1 area from another (PCI Secure Zone, Accounting & Finance, R&D) - built into many OS's

How security architecture relates to business needs

• Does the nature of the business lead to specific security vulnerabilities? o e-commerce o child related (schools or colleges) - personal/sensitive data o confidential data related (medical, defence or judicial, gov departments) o social media • Does the security architecture provide obstacles to the main business activities? - disruption? • Will the current security architecture support future developments of the business? - expansion, more customers - big data - amount, speed of data, range of data types

Assets impacted by emerging threats & the impact to an organisation

• data - ID theft (personal/sensitive info), non-compliance, fines, reputational damage, financial loss, PCI • hardware - disruption • software - DDoS? • configuration settings • staff - lack of training/awareness?, phishing extracts info from people • buildings and infrastructure - disruption

Variety of methods for improving security awareness

• mandatory cyber awareness training • management leading by example • interactive materials; o gamification; o video; • multi vector approach; o posters; o blogs; o e-mail tips; o newsletters. ** not text messages

Examples of information security risks caused by poor security awareness

• principle of least privilege (POLP) not implemented - admin/root access rights by unauthorised user, minimum privileges for each user only so they can carry out their jobs, lower attack surface (limit malware propagation), privilege audit • poor password discipline - password cracking, brute force • account sharing - access to confidential/sensitive data • accessing of unsafe internet locations - virus/malware • installation of non-approved software - virus/malware

Indicators (signatures) of compromise

• virus signatures - AV software use virus signature to find virus in computer system (detect, quarantine & remove virus), unique string of bits, identify specific viruses • MD5 hashes (128 bit, 32 HD) or addresses of known malware - cryptographic hash of file (unique identifier of contents), compare MD5 hashes of known malware with 'potentially malicious' files • known domains or URLs of botnets - DDoS/DoS, zombies • unusual outbound (connected to internet) network traffic - suspicious traffic, may be malware communicating with C&C center • unusual privilege account use - attackers (privilege escalation) • DNS request anomalies - translate domain names to IP addresses, launching an attack • web traffic with unhuman behaviour • signs of DDoS activity - slow access to files, websites, excessive amount of spam email

Tools used in timeline analysis

▪ Log2timeline - generate forensic timelines from digital evidence, timestamps ▪ packet sniffers - intercept, log, analyse network traffic, identify root cause ▪ Plaso - python based, used by log2timeline to create timelines, collect timestamps for computer forensic analysis ▪ TimeFlow - analyse temporal data