CIS 687

Chapter 1
Information Security Management
Information Security
 State of Cyber-attacks 2018
https://smallbiztrends.com

https://www.youtube.com/watch?v=7g0pi4J8auQ
&start_radio=1&list=RD7g0pi4J8auQ&t=12

https://archive.org/details/Stuxnet

https://www.youtube.com/watch?v=lc7scxvKQOo

3
 Rising Cybersecurity Threats,
2018
• The big rising threats for 2017 year include:
• Ransomware – Computing devices are locked and encrypted,
usually through a clicked link or installed malware.
• The users are threatened, if they don’t pay, by a certain time, files will
start to be deleted.
• Paying for the decryption key encourages ransomware artists to
continue to fund future activities of these adversaries, and doesn’t
even guarantee that a key will be sent, or if sent will even work.
• http://threatmap.fortiguard.com/
• https://cybermap.kaspersky.com/

4
 Romantik Seehotel in Austria

3/6/2023
Phishing Attacks Hillary Clinton's campaign got
hacked

6
 Defining Cybersecurity

• Cyber security is a great umbrella term referring to protecting the

confidentiality, integrity, and availability of computing devices and
networks, software, and, most importantly, data and information.

• Cyber security is achieved through procedures, products, and people.

 Defining Cybersecurity

• Some like to think of cyber security as a subset of information

security, a very general term which also deals with information stored
physically, in addition to cyber security's pure digital form.

• Cyber security requires knowing who the hackers are, who the
attackers are, what their motivations are, where our vulnerabilities
lie.
 Check Your Understanding

• True or False: Insiders can do far greater damage than outsiders

can.
• True
• False
• Information Security is a subset of cybersecurity.
• True
• False

3/6/2023
Information Security
It encompasses all aspects of security:

• Legal Requirements
• Physical Security
• Personnel Security
• IT Security
• Incident Management
• Business Continuity
• Managing security in the supply chain
• Multiple layers of security are required
 Defence in Depth

• L1 Network - Perimeter Firewall

• L2 Host - Local Machine Firewall

• L3 Application- Reputable AV Program

• L4 Data - Accurate Information

 Why Protect Information?
• Financial loss

• Reputational loss

• Legal and regulatory compliance

• Best Practices and good business approach

• Commercial advantage

• Loss of life
 Security Concepts and Standards
• Business must understand Information Security concepts and
definitions T
• Recognized Security standards:
• ISO/IEC 27000:2014 :Overview and vocabulary
• ISO/IEC 27001:2013: Information security management
• ISO/IEC 27002:2013: Code of practice for information security controls
• ISO/IEC 27005:2011 :Information security risk management
• ISO is the International Standards Organisation
• IEC is the International Electrotechnical Commission, which prepares
and publishes international standards for all electrical, electronic and
related technologies
Basic Security Concepts
• Confidentiality – only authorized
individuals can access data

• Integrity – data changes are tracked and

properly controlled

• Availability – systems are accessible for

business needs

14
Basic Security Concepts
• Physical security – protect people,
equipment, and facilities

• Privacy – critical data is not released to the

wrong people

• Marketplace perception – the way the

company is perceived by customers,
partners, and competitors

Web Security for Network and System Administrators 15

 CIA model Confidentiality Integrity
Availability
The Three Pillars of Information Security:

Confidentiality Integrity Availability

Information must not Safeguarding the Accessible and usable
be made available or accuracy and upon demand by an
disclosed to completeness of authorised entity.
unauthorised information. No
individuals, entities or modification are
processes (ISO 27001 ) made to data by
unauthorized process
 Confidentiality Integrity Availability
• Cyber Attacks will always look to target CIA

• Confidentiality – Stealing Credit Cards

• Integrity – Deletion/modification of Data

• Availability – DDOS
Other Concepts
• Non-repudiation: is the assurance
that someone cannot deny
something.[ISO 27000:2014]

• Ability to ensure that a party to a

contract or a communication cannot
deny the authenticity of their
signature on a document or the
sending of a message that they
originated.
 AAA Model
• Another important cybersecurity model is the AAA or triple A model,
• The first A refers to authentication, which is the process of proving you
are who you say you are. The second A refers to Authorization which
means that based on the user's credentials, we let him do certain things,
while the third A refers to Accounting, which refers to holding an
employee accountable for his wrongdoing.
• Authentication is a mechanism of verifying credentials and proving their
validity. Authentication systems or methods are based on one or more of
these five factors:
• Something you know, such as a password or PIN
• Something you have, such as a smart card, token, or identification device.
• Something you are, such as your fingerprints or retinal pattern (often called
biometrics)
• Something you do, such as an action you must take to complete authentication
• Somewhere you are (this is based on geolocation)
 AAA or triple A model

• When you combine more than one of these categories, that's called a
multifactor authentication, and that really is the future of authentication.
• Multifactor authentication makes it really hard to authenticate as someone
else -- impersonating them.
• Because if a hacker steals your password, he'd also have to possess a small
card, or a key fob, with a code that rotates in parallel with code on the server
you're logging into. Or he'd need your iris, retina, or hand geometry.
• Using two passwords is not multifactor authentication because they both fall
under the same something you know category.

20
Authentication: Security
Tokens
• Authentication: Security Tokens

The server, has a real-time clock and a database of valid cards

with the associated seed records, authenticates a user by
computing what number the token is supposed to be showing at
that moment in time and checking this against what the user
entered.
 Authentication:
Biometrics
• Fingerprints
• 5-9 sec processing time
• Commonly used in law enforcement
• Iris scanners
• 2 sec processing time
• Difficult to replicate
• Voice recognition
• Facial recognition
• Non invasive data collection
• Currently used for Passports and National ID documents
Authentication: Single
Factor
• Single-Factor-Authentication (SFA) is the most basic form of
authentication as only one type of authentication is checked
 Two Factor
Authentication
• Authentication: Two Factor
• Two factor authentication uses two access methods as part of the
authentication process
2-Factor Authentication
Something you know Something you have Something you are
Username USB Stick Fingerprint
Password Phone Iris
Pin Code ID Card Retina
Email address Keys Facial recognition

2-Factor Authentication requires one item from two of the above categories, for example;

•Username + ID Card
•Fingerprint + USB Stick
•Password + Iris
•Pin Code + Keys
 Authentication: Multi-
factor
• In Multi-factor authentication systems, two or more access methods
are used as part of the authentication process
 Authorization

• The user has gone through identification to say he is

someone and authentication to prove it.
• Now what? Do we let him see anything he wants?
• Do we let him do anything he wants?
• Authorization means that based on the user's
credentials, we let him do certain things,
• we let him see certain things but not others.

27
 Authorization

• This is tied into the principle of least privilege, which states

users and even devices, programs, and processes should be
granted enough permissions to do their required functions
and not a single drop more.
• Any authorization beyond normal job functions opens the
door for either accidental or malicious violations of
confidentiality, integrity, and availability.
• This is specifically why the recommendation is to never use an
administrator or a root account on a system but rather an
account with limited privileges.

28
 Authorization

• Authorisation is all about assigning the authenticated user the correct

set of permissions

• Read – Allows the user to read data

• Write – Allows the user to change the data
• Execute – Allows the user to execute (run)
commands based on data
• Create – Allows the user to create new files
• Delete – Allows the user to delete data and
files
 Accounting

• The third A in the AAA model refers to accounting.

• Keeping track of users and their actions is very important.
• From a forensics perspective, tracing back to events leading up to a
cybersecurity incident can prove very valuable to an investigation.
• Predicting what disgruntled employees might be up to, for
example, with a certain number of failed login attempts to a server
they are not authorized to access is made possible by accounting.

30
 Assets
• An Asset is what you want to protect
• Anything in an organization considered as having a value [ISO 27001]. It
can be money, property, etc.
• Examples include:
• Hardware(computers, printers, USB memory sticks, buildings)
• Software ( applications or computer programmes)
• Information
• Infrastructure
• Services
• People(including their qualifications, knowledge, skill and experience)
• Reputation (brand image )
 Threat
• Any circumstance or event with the potential to adversely impact
organisational operations, via unauthorised access
• A potential cause of an incident that may result in harm to a system or
organisation. (ISO 27002)
• Examples
• Dishonest / malicious employees
• Viruses
• Environmental threats (e.g. floods)
 Vulnerabilities
• A weakness of an asset that can be exploited by one or more threats(ISO 27002)
• Examples include:
• Software bugs
• Unlocked doors
• Untrained staff members

Vulnerabilities can exist across all elements of computer systems and organisations, including:
• Processes and procedures
• Personnel
• Physical environment
• Hardware
• Software
• Communications equipment
• Cryptographic systems
• Information system configurations
Classify each of the following into threats, vulnerabilities, and
assets

A Default password TV Insider hacker

A staff member Power Cut Maleware
Hurricane Hacker Terrorism
Propped Secure door Open Company secrets Lack of regular audits
Unaware staff member Fraudster Simple password
USB key on the floor Bomb Data loss
Desk Insufficient testing Database
Organisation Mobile app Insecure coding Hacktivist

Inadequate security Unpatched servers

awareness
 Risks
• A function of threats exploiting vulnerabilities to obtain, damage, or destroy
assets (ISO 27002).
• The effect of uncertainty on objectives (ISO 31000)

• Risk is not always negative, some risks can result in positive outcomes
• some high risk ventures can lead to significant gains.
• Hacker exploits a bug in database software, leading to
• loss of customer records/ Reputational Damage/Financial Loss (Impacts)
Probability

• Probability is the likelihood of a risk occurring;

• it can similarly be measured in quantitative or qualitative methods.
For example, the quantitative probability of a flood occurring
is 0.5 per year (if there was one flood every two years).
• Qualitative probability usually ranges across three or five different
levels (rare, unlikely, possible, probable, highly likely); for example,
the probability of a flood occurring may be unlikely.

3/6/2023
 Risk Description/Modeling
• Risk Good practice suggests the following as the best way to describe a
risk:
• There is a risk that… because of…. resulting in…

• For example: There is a risk that ransomware infects computers because

of improper patching resulting in data being unavailable
 Impact
• The result of an information security incident, caused by a threat, which affects
assets (ISO 27005)

• Impact example
• DDOS attack prevents customer access to a website/Risk, Incident
• Customers are unable to complete orders, so take their business elsewhere/
Impact
• Lead to Financial Loss/Impact
• It can be demonstrated in quantitative methods (represented usually in pounds
or dollars); for example, server downtime led to £2,000 of business lost.
Alternatively, it can be represented in qualitative methods, which usually range
across three or five different levels (negligible, minor, moderate, significant or
catastrophic); for example, the server downtime had a moderate impact.
 Check your Understanding. From the following risk
Scenario, identify vulnerabilities, threats and Impacts
• A company’s ecommerce website is vulnerable to SQL injection () and is
hacked by an attacker () which resulted in the database becoming
corrupted (), as a result the organisation was unable to send goods to
customers (), and as a consequence the company had to spend significant
money resolving the problem impacting it’s financial bottom line for the
quarter.
 Incident
• If a Risk is the potential for something untoward to happen, an incident is
an event that has happened.
• For example:
• The potential that a computer becomes infected with a virus is a Risk
• The computer actually being infected is an incident
 Impact and Risk
• In April 2013, a tweet from the Associated Press’s Twitter feed sent
shockwaves around the world
• In the immediate aftermath, the Dow Jones dropped 143.5 pts and
Standard & Poor's 500 Index lost more than $136 billion off its value
• The Syrian Electronic Army claimed responsibility, and the attack
demonstrated the potential impact of unsecured social media profiles AP
claimed the attack came less than an hour after some staff had received
an impressively disguised phishing email.
• The event, since referred to as a Hack Crash, demonstrates the need to
better understand how social media data is linked to decision making in
the private and public sector
Incident/ Impact
Quantitative Risk Assessment
• Combining the impact and probability of specific risks allows them to be
prioritised in order for business leadership to decide which course of
action to take.
• Quantitative risk measurement is calculated by combining the figure
found for impact and probability:
• Risk = Impact x Probability
• Risk of flood = £2000 x 0.5 = £1000 per year
Qualitative Risk Assessment
• Qualitative risk measurement is usually represented on a matrix of
probability vs impact, which shows that events with a high probability and
high impact are classified as severe or critical, whilst those with a small
probability and minimal impact are classified as low.
Information Security Controls
• Activities that are undertaken to manage risks.
• Controls are used to manage risks, and are described as risk treatment. There
are four options when it comes to treating (also known as managing) a risk, and
these are:
• Eliminate (also known as Terminate/Avoid)
• Reduce
• Transfer
• Accept (also known as Tolerate)

• “ignore the risk” is not one of the options provided, but a methodology
practised by many organisations. This is similar to, but should not be confused
with risk acceptance.
Risk Treatment: Eliminate

• Risk Avoidance / Termination – Decision not to be involved in, or

action to withdraw from, a risk situation (ISO Guide 73)
• This is where a decision is taken to entirely remove risk.
• This might be through changing business processes or operations.
• One example could be where offices are located in an area with a
high risk of flooding, it may be more effective to relocate these offices
to an area where this risk does not exist.
Risk Reduction / Mitigation –
• Action taken to lessen the probability, negative consequences, or
both, associated with risk (ISO Guide 73)
• Actions that can be taken to lessen impact or likelihood and
ultimately reduce the risk to a level deemed acceptable by the
organization.
• An organization might identify a high risk of unauthorized access onto
their systems, due to weak password strengths.
• The organization might reduce/mitigate this risk through the
introduction of a strong password complexity scheme or the use of
multi-factor authentication.
Risk Treatment: Transfer
• Risk Transfer – Sharing with another party the burden of loss, or
benefit of gain, for a risk (ISO Guide 73)
• Risk Transfer, sometimes known as Risk Sharing is where risk is passed
to a Third Party, often through outsourcing.
• Organizations might use insurance policies to cover the financial
consequences of risk.
• Another example could be outsourcing the monitoring of computer
systems to a Third Party. The Third Party will watch for suspicious
activity and respond to attacks before damage is inflicted.
Risk Treatment: Accept
• Risk Acceptance – Decision to accept a risk (ISO Guide 73)
• Having suitably assessed risk, an authorized manager or director may
take a decision to accept risk.
• This may be because the risk is inherent to the organizations key
business processes. This must be an informed decision that considers
the level of risk the organization's Risk Tolerance.
• When using the other three risk options, there is almost always an
element of residual risk that must be accepted; risk acceptance is not
a failure, but an informed decision, which is what differentiates it
from ignoring the risk.
Identity, Authentication and Authorisation
Concepts
• Identity is defined as: The properties of an individual or resource that
can be used to identify, uniquely, one individual or resource.
• When logging onto a computer system, users will typically use a
username. This is the identity by which the system can account for
your actions.
• System processes are also given unique names (identities) to enable
the system to monitor which processes are performing which actions.
 Authentication
• Authentication is defined as: Ensuring that the identity of a subject or
resource is the one claimed (BCS, Information Security Management
Principles)
• This could be done by
• Asking questions or
• Requesting passwords
• The use of tokens
• Biometric characteristics
• Or any combination of these (multi-factor authentication).
• Different types: user authentication, device authentication
• User authentication – a user logging on to a system with a username and
password (the password provides authentication, the username is
identification).
• Device authentication – a smart card being authenticated to a card reader.
 Attacks Against Passwords
• Brute force attacks
• Dictionary attacks
• Rainbow table attacks
• Social Engineering Passwords
 Password Attacks
• Brute Force Attack: Attempts to determine a password by trying every possible
combination. It is extremely slow but comprehensive and exhaustive.
• Dictionary Attack: Typically, a guessing attack which uses a precompiled list of options,
rather than trying every possible option. The attackers generally have files containing
words (with the most common passwords at the top) and their possible versions e.g.
password, Password, P4$$w0rd, P4$5word etc. Alternatively they have a standard
dictionary and use software to generate permutations of the words in the dictionary.
• Rainbow Table Attack: A rainbow table attack is a method that aims at guessing the
plain text of the password from the hashed value. This is achieved by hashing a wide
range of possible values and saving them along with the password that generated the
value. The hashes in the table are compared to the hash for the password. When the
matching hash is found the attacker simply checks the matching password in the table.
• These are defeated via salting, which is a technique used to add a random “salt” to each password
which is stored in the cleartext, along with the hashed password. The purpose of the salt is to make
an attacker’s tables less useful when generated in advance. This is because the salt can be
proportionally very long.
 Strong Password Policy
• There are a number of rules which a password policy should include:
• Complexity
• Minimum length
• Password history
• Maximum password age
• Minimum password age
• Account lockout
• Writing passwords down