Skills developed through this module: (STANDARD SLIDE)

Lecture •
• •• • ••• •• ••••

Dr. Dimple R Thadani

With slides adapted from Prof Samson Tai
2
Outline of the Lesson 5 core parts

physical cyber 4 profile tier

■ What is information security and cyber security? => LIA

■ What are the objectives of information security

using the CIA triad?
■ What is the NIST Cybersecurity Framework
■ Common Cybersecurity Attack and Protection

3
 What is Information Security?
Information security is the practice of protecting
information by identifying, assessing, and
implementing control to mitigate information risks.
Information Security
Focuses on the value of the information, not just on
the method to protect it.

Securing the physical assets and

Physical Security infrastructure. from physical threats such
as theft, vandalism, fire, and natural
disasters.

Protection of information systems,

Cybersecurity networks, and digital assets from
cyber threats.

The goal of information security is to ensure the confidentiality, integrity, and

availability of information assets and to minimize the potential impact of security
incidents or breaches.
4
Information Security is defined as
“The protection of information and
information systems from
unauthorized access, use,
disclosure, disruption, modification,
or destruction to provide
confidentiality, integrity, and
availability.”

9
 CIA Triad is a widely recognized model in information security
that stands for Confidentiality, Integrity, and Availability.

The CIA Triad serves as a foundation for designing and implementing security
measures to protect information assets and maintain the overall security of an
organization.
10
Balancing Information Security and Convenience

Information security aims to protect data confidentiality, integrity,

and availability (CIA Triad) while minimizing the impact on
organizational productivity.

Striking the right balance between security and productivity is

essential for maintaining a secure and efficient environment for an
organization's data and operations.

Security Model

11
Information Security professionals use the CIA Triad
model to develop effective information security policies in
organizations

Which is more important :

• Hospital records
• Purchase record of a McDonald Burger
• Personal Blog

How would a loss of

Confidentiality, Integrity, and
Availability impact an
organization for each asset it
has?

12
Information Security Objective

■ Assess the impact of the breach on Confidentiality, Integrity, and

Availability for each information asset using a scale of 1-5.

– Low consequence: no noticeable disruption to your daily life.

(rating = 1)

– Medium consequence: leading to a minor impact, resulting in

a few hours of lost time. (rating = 3)

– High consequence: a life-changing, massive impact that could

extend over months or even years (rating = 5)

• Values are computed to prioritize assets and determine protection

strategies.

13
Organizations regularly assess the potential
consequences of experiencing a breach of their assets.

■ How would a loss of Confidentiality, Integrity, and Availability

impact you for each asset? (1-5 scale)

Confidentiality Integrity Availability Total

Personal Bank Account

Photo Library

Social Media Account

Mobile Phone

• Implement varying protection strategies based on the asset's

value.

14
Risk Valuation
Not all risks are treated equally. Some risks require immediate action, while others
can be overlooked depending on how likely they are to happen and how serious the
consequences would be if they did. The value of risk is calculated as:

Risk value = Consequence x Likelihood

• The consequence is the impact and associated damages.

• Likelihood is how often the risk impact occurs.

The likelihood of an organization being attacked depends on three attributes as

follows:
Likelihood = Adversary capability x Adversary motivation x
Vulnerability severity

• An adversary refers to an entity with the intention of compromising an information system.

• Vulnerabilities, on the other hand, are potential weaknesses inherent within a system. For
example, a vulnerability could manifest as a webpage that fails to authenticate a user
accurately.

15
What motivates a cyberattack?

16
Types of Hackers

Vary substantially in motivation, resources, and techniques.

■ Script Kiddie
■ Hacktivist
■ Criminal Gang
■ Nation-State Hacker
■ Malicious Insider

Cyberspace is A fifth space of Conflict

17
White Hat Attackers

■ Ethical Attackers
– Use their skills for good

■ Ethical hacking finds

security vulnerabilities
■ Have a real hacker mindset
and use the same hacking
methods as real-life
attackers

Ethical hacking is also known as Penetration Testing, Intrusion

Testing, Red Teaming.

18
Penetration Testing

■ Discover vulnerabilities in networks, systems, networks,

outdated software, applications, data, human resources, and
physical assets
■ Black box, white box, and gray box penetration testing
■ Sample Pentest Report:
– https://purplesec.us/wp-content/uploads/2019/12/Sample-Penetration-Test-Report-PurpleSec.pdf

■ Do it regularly and use different providers

Source: https://purplesec.us/types-penetration-testing/
19
Common Cyber Attack Methods

20
Most Common Attacks in Cyber Security

■ DoS/DDoS
■ Malware attack
■ Man in the Middle
■ Phishing
■ DNS attack
■ Password attack
■ Eavesdropping Attack
■ SQL injection attack
■ Social Engineering attack

21
DoS Attack

■ DoS Attack is any attack that makes your website or

application unavailable to users, such as by flooding it with
network traffic
■ Tie up bandwidth or other system resources

■ Example:
– An attacker could send a maliciously formatted file to a server
that causes it to overload. An example of this is a billion laugh
attack, in which an XML file references itself, expanding to a
considerably larger file.

22
Distributed denial of service (DDoS) attack

■ A DDoS attack is a DoS attack that comes from more than one source at the
same time.
■ The machines used in such attacks have been previously infected (botnet)
with malicious software and remotely controlled by the attacker.

■ Example:
– An attacker could send a large number of page requests to a web server in a
short space of time, overloading it. A similar impact is observed with ticket
sales websites where a spike in user demand can overload systems.

23
 Distributed denial of service (DDoS)
attack

A botnet is a group of computer systems, anywhere in the world, that has been infected by a malicious
piece of software. The software allows these computers to be networked together by a hacker. The
hacker gains full control of all the bots in the network and can conduct malicious tasks.
24
Phishing attack
■ Attempting to trick people into revealing sensitive
information, such as passwords and credit card numbers,
often by using fraudulent emails or fake websites that look
like they’re from trusted organizations.

■ Example:
– An attacker could send an email with a file attachment or a
link to a fake website that loads malware onto a target's
computer.
25
SQL Injection

SQL injection attacks target the underlying database

• Read sensitive data or modify the database
26
Malware
■ Malware is any software designed to cause disruption to a
computer, server, client, or computer network, leak private
information, gain unauthorized access to information or
systems, or deprive access to information, without the
user's informed consent.

■ EXAMPLE
– Keyloggers - captures a victim's keystrokes
– Ransomware - which holds a victim's files captive in
exchange for a ransom payment

27
Ransomware

■ Prevents people from accessing files on their computer

■ Ransomware typically encrypts files and requests that a
“ransom” be paid in order to have the files decrypted.

28
Man in the middle (MitM) attack

■ an attacker intercepts messages between a user and a website

in order to observe and record transactions.

■ Example:
– An attacker could set up a "free" WiFi hot spot in a popular public
location.
– Anyone who connects to that WiFi network could have their
communications examined by the attacker, who also redirect victims to
fake log-in screens or insert advertisements over webpages

29
Domain name system (DNS) attack

30
DNS Spoofing (DNS poisoning)
Domain IP Address
hkbu.edu.hk 88.91.101.11
158.182.0.81
cityu.edu.hk 144.214.4.184

88.91.101.11

158.182.0.81

HKBU

31
 Social Engineering
■ Human trust, even when they shouldn’t
■ Human want to help, even when they shouldn’t
■ Human are busy!

Source: http://okapp.blogspot.com/2019/08/social-engineering.html
32
33
Suppose you are the CISO in an enterprise,
what should you do to protect your
company’s I/T assets against cyber attack?

34
 Who needs to be involved for Cybersecurity?

Successful companies establish cross-functional teams for effective

cybersecurity initiatives. It is recommended to involve various functions
and assign specific roles to ensure the achievement of milestones.

Source: IT Roadmap for Cybersecurity, Gartner

35
Cybersecurity Framework (CSF)

The NIST CSF

framework aids
businesses in developing
and enhancing its
cybersecurity programs.
CSF comprises three
main components.

NIST: National Institute of Standards and Technology

CSF: Cybersecurity Framework.
37
Cybersecurity Framework (CSF)

■ Core
– Provides a set of cybersecurity activities and outcomes
– Includes five functions: Identify, Protect, Detect, Respond, and
Recover
■ Profile
– Align the NIST CSF standard and practice with the
organization’s specific business requirements and risk tolerance
– Represent desired cybersecurity outcomes and activities
selected from the Core
■ Implementation Tiers
– Help assess the maturity of an organization's cybersecurity
program
– Four tiers: Partial, Risk Informed, Repeatable, and Adaptive

38
Framework Core
■ The core includes five functions: Identify, Protect, Detect, Respond, and
Recover, which represent different aspects of a comprehensive
cybersecurity program.

■ Each function provides common cybersecurity activities and outcomes that

organizations aim to achieve.

39
The Identify Function

The Identify Function assists in developing an organizational

understanding of managing cybersecurity risk to systems, people, assets,
data, and capabilities

Example Outcomes:
• Identifying physical and software
assets to establish an Asset
Management program

• Identifying cybersecurity policies to

define a Governance program

• Identifying a Risk Management

Strategy for the organization

40
The Protect Function

The Protect Function supports the ability to limit or contain the impact
of potential cybersecurity events and outlines safeguards for delivery
of critical services

Example Outcomes:
• Establishing Data Security protection to
protect the confidentiality, integrity, and
availability

• Managing Protective Technology to

ensure the security and resilience of
systems and assists

• Empowering staff within the organization

through Awareness and Training

41
The Detect Function

The Detect Function defines the appropriate activities to identify the

occurrence of a cybersecurity event in a timely manner

Example Outcomes:
• Implementing Security Continuous
Monitoring capabilities to monitor
cybersecurity events

• Ensuring Anomalies and Events are

detected, and their potential impact
is understood

• Verifying the effectiveness of

protective measures

42
The Respond Function

The Respond Function includes appropriate activities to take action

regarding a detected cybersecurity incident to minimize impact

Example Outcomes:
• Ensuring Response Planning
processes are executed during
and after an incident

• Managing Communications during

and after an event

• Analyzing the effectiveness of

response activities

43
The Recover Function

The Recover Function identifies appropriate activities to maintain plans

for resilience and to restore services impaired during cybersecurity
incidents

Example Outcomes:
• Ensuring the organization
implements Recovery Planning
processes and procedures

• Implementing improvements based

on lessons learned

• Coordinating communications
during recovery activities

44
Framework Core
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
What processes and assets
Governance ID.GV
need protection? Identify
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Supply Chain Risk Management ID.SC
Identity Management & Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
What safeguards are
Protect
available? Information Protection Processes & Procedures PR.IP

Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
What techniques can
Detect Security Continuous Monitoring DE.CM
identify incidents?
Detection Processes DE.DP
Response Planning RS.RP

What techniques can Communications RS.CO

contain impacts of Respond Analysis RS.AN
incidents? Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
What techniques can
Recover Improvements RC.IM
restore capabilities?
Communications RC.CO

23 Categories across the 5 functions 45

Subcategories & Informative References

108 Sub-categories
46
Framework Profiles

■ Customize framework implementation based on the

organization's needs and goals.

■ Select cybersecurity outcomes and activities aligned with

requirements and risk appetite.
■ Establish a roadmap for reducing cybersecurity risk.

■ Describe the current or desired state of cybersecurity activities.

47
Building a Profile

49
Building a profile
■ Identify and authenticate users and devices
accessing the organization's network.
■ Implement strong password policies and multi-
factor authentication for enhanced security.
■ Regularly update and patch software to address
any vulnerabilities.
■ Conduct regular network vulnerability
assessments and penetration testing. - Implement
robust firewall and intrusion detection/prevention
systems.
■ Encrypt sensitive data both in transit and at rest.
■ Monitor network traffic and implement security
monitoring tools for early detection of threats.
■ Regularly backup critical data and test data
restoration processes.
■ Establish incident response procedures and
conduct regular drills.
■ Provide cybersecurity awareness training for all
employees.

50
Framework Implementation Tiers

The framework implementation tier is a concept used in cybersecurity 51

frameworks to assess the maturity and effectiveness of an organization's

cybersecurity practices. It helps organizations understand their current state
of cybersecurity implementation and identify areas for improvement. 51
Example of the flow of using CSF

■ Identify business objectives and cybersecurity risks.

■ Assess current cybersecurity practices.
■ Determine current tier levels for each core function.
■ Select a target profile from NIST CSF Framework Profiles.
■ Perform a gap analysis between the current state and
target profile.
■ Develop a roadmap to address gaps.
■ Implement improvements based on the roadmap.
■ Monitor and evaluate the effectiveness of improvements.
■ Iterate and improve cybersecurity programs based on
feedback and threats.

52
Implementing the Below Key Security Controls under the NIST
CSF, based on its Risk Profile and the Threats Facing

53
Cyber Security Basic Control

■ Basic system administration is critical

– Patches and updates
– Remove unused accounts
■ Multi-factor authentication
■ Minimize Attack Surface
■ Minimize privileges
– Don’t allow users to install software
■ Don’t use a full admin account for day-to-day tasks

Following basic best practices can eliminate 90% of the

Cyber attack.
56
Technical Scanning

60
What are IP Address/Ports

■ IP address
– Identify your target machine(s) by IP(s)

■ Ports
– Used for identifying an application
– Different applications running on a computer have
their own ports
– Assist to receive and send data via network

61
Basic Concepts – target, port, open port

■ Target => Computer (with vulnerabilities, identify your

target by IP address (e.g. 10.8.0.201)

– You can think of a target as a house (and you are going

to break in!)

■ Port => Door (but it may be locked)

■ Open Port => Door (not locked)

■ A computer has 65535 ports (i.e. house with 65535

doors)

– Go ahead to find doors which are not locked.

62
Common Port Numbers

63
Common Vulnerability Signature

■ Ports
– When an application is running on a computer, it
opens a port.
– Application may have vulnerabilities => the loophole
to get into the target

■ Known the open ports => Known running

services =>Search and finding possible
vulnerabilities => Try to compromise into target
■ How do we know what ports are open in the
target ?

64
 Port scanning

■ Method of determining which ports

on a network are open and could
be receiving or sending data
■ This diagram shows a machine
scanning a server by systemically
testing ports to see if a service is
available on each one. After four
attempts, the scanner has
identified four ports that are
rejecting connections and would be
defined as "closed" ports.
■ A port that accepts a connection is
defined as being "open".

Port scanning can’t take place without first identifying a list of active hosts and
mapping those hosts to their IP addresses
65
Nmap

■ Port Scanning Tool: Nmap

■ Nmap is a popular port scanning site. It is a free
and open-source network scanner.
■ Identify which ports are open and determine
what services are available on your targeted
system
– A services is a specific job or task that the computer
performs like e-mail, FTP, DNS, WWW.

66
Nmap.online

67
 Nmap Online Port Scanner

https://hackertarget.com/nmap-online-port-scanner/
68
Shodan Search Engine

■ Shodan is a specialized search engine that allows users to

discover and explore various internet-connected devices
– Web cams, baby monitors, traffic lights, medical devices, smart TVs,
etc..
– Billions of publicly available IP addresses,
■ https://www.shodan.io/

69
 How does Shodan work
■ Shodan scans the internet, gathering data about publicly accessible
devices like webcams, routers, servers, and industrial control
systems. It sends queries to these devices and retrieves the banner
information of the device as part of the response.

The banner typically contains details

about the device, such as the device
type, manufacturer, model, and
sometimes even additional information
like firmware version or software running
on the device.

70
 Routers that use the username/password as
admin/1234 in their banner

Source: Shodan
71
Basic Firewall Concept

72
Firewall

■ An access control technology to secures a network by

only allowing certain types of traffic to pass through
them.
– Inspect data packets to see if it contains threats

73
Firewall Rules

Allow traffic from B to A

Deny traffic from A to C
Allow all traffic

75
Firewall Rules

Allow traffic from B to A

Deny traffic from A to C
Deny all traffic

(Zero Trust Model) 76

Firewall Rules

Allow traffic from 10.0.0.0/8 to 192.168.1.0/24

Deny traffic from 192.101.1.0/16 to 10.10.1.1/8)
Deny all traffic

(Zero Trust Model) 77

Firewall Rules

Allow traffic from 10.0.0.0/8 80 to 192.168.1.0/24 80

Deny traffic from 192.101.1.0/16 22 to 10.10.1.1/8 22
Deny all traffic

78
 IDS/IPS

Response to
Attack

IDS focuses on detecting and alerting potential threats.

IPS goes a step further by actively preventing and blocking those threats in real-
time 79
What is SIEM (Security Incident and Event
Management)

■ SIEM is a security solution that

offers real-time analysis of
network hardware and
application-generated security
alerts and events

■ Timely detection and response

to potential security threats and
breaches to prevent damage.

■ Generate alerts based on pre-

defined rules and thresholds

80
Honey Pots

83
84
Honey Pot
■ By deploying honeypots, organizations can create an environment
mimicking real systems and networks, including potential
vulnerabilities.

■ Attackers may attempt to exploit these vulnerabilities, and when they

do, the honeypot captures their actions and provides valuable
information about the attack.

85
Hong Kong HoneyNet Campaign

(data recorded from Dec 2021 to Nov 2022)

https://www.pcmarket.com.hk/astri-collaborates-with-hong-kong-police-to-set-up-honeynet-to-lure-hackers/
86