2. CYBER SECURITY
THE OBJECTIVE
To prevent or mitigate harm to or destruction of
Computer Networks, Applications, Devices, and Data.
3. Trainer Profile
LEO LOURDES
(MBA IT Management, BoM Hons. HRM)
Implementer of ISO 20000-1:2011
Certified in COBIT® 5
Certified in ISO 9001 Auditor (PECB)
Certified in PRINCE2® in Project Management
Certified in ITIL® Practitioner
Certified in ITIL® Intermediate Certificate in IT Service Operation
Certified in ITIL Information Security based on ISO/IEC 27002
Certified in ITIL for Cloud Computing
Certified in ITIL IT Service Management
Certified in Coaching and Calibration Skills for Call Center
Certified in Delivering Learning / Teaching by City & Guilds, United Kingdom
wecare@thinkleosolutions.com
++6016-349 1793
Experience:
Management Representative (MR) ISO 20000-1: 2011
IT Service Management (Incident, Problem, Change) Manager
Security, Compliance & Risk Management
Senior CRM Delivery Analyst
Certified Trainer
Certified IT Auditor & Consultant
4. • The CIA Triad
• Security Governance
• Risk Management
• Cyber Threats
CYBER SECURITY AWARENESS : DAY 1
6. Confidentiality Terms
Term Definition
Sensitivity The level of damage or harm that could occur if the asset is revealed or
disclosed.
Discretion The ability for a person to control the level of access to, or disclosure of,
an asset.
Criticality The level of importance of an asset to the mission or objective.
Concealment The act of hiding or preventing disclosure of an asset.
Secrecy The practice of preventing or limiting information disclosure.
Privacy The protection of confidential or personal information.
Seclusion The act of storing something in a location that is out of the way, and thus
not easily observed or found.
Isolation The act of keeping something separate from other things that are similar
in nature.
7. Term Definition
Accuracy The degree to which the data is correct and precise.
Truthfulness The quality of a source of information being factual and realistic.
Validity The quality of an asset being factually or logically sound.
Authenticity The quality of an asset being genuine.
Accountability The condition of a person or entity being held responsible for their
actions.
Responsibility The obligation of a person or entity to take ownership of their actions.
Completeness The quality of an asset that has all its necessary parts or components.
Comprehensiveness The quality of an asset being complete in scope, and fully inclusive of all
relevant elements.
Integrity Terms
8. Term Definition
Usability The degree to which an asset can be easily learned, understood, utilized,
or controlled by a subject.
Accessibility The assurance that an asset can, under the widest range of circumstances,
be used by a subject, regardless of their capabilities or limitations.
Timeliness The quality of an asset, particularly information, being prompt and
available within a reasonable time frame, and with low latency.
Availability Terms
9. Term Definition
Asset Anything of value that could be compromised, stolen, or harmed,
including information, systems, personnel, physical resources, and
reputation.
Threat Any event or action that could potentially cause damage to an asset or
an interruption of services.
Threat actor A person, group, or other entity that could potentially attack, damage,
or otherwise compromise a system or resource.
Vulnerability A condition that leaves the system and its assets open to harm—
including such things as software bugs, insecure passwords, inadequate
physical security, poorly designed networks, or insufficient user training
and awareness.
Exploit A technique that takes advantage of a vulnerability to perform an attack.
Risk The likelihood of a threat occurring, as well as its potential damage
to assets.
Control A countermeasure that you put in place to avoid, mitigate, or
counteract security risks due to threats or attacks; also known as a
safeguard.
Common Security Terms (Slide 1 of 2)
10. Common Security Terms (Slide 2 of 2)
Term Definition
Attack The active attempt by a threat actor to break into and exploit a vulnerable
system, data, or other resource.
Breach The result of a successful attack. Can include theft, destruction, or loss of
availability of data, a system, or other resources.
Exposure The level, usually expressed in percentage, to which a resource is at direct
risk of attack.
Social engineering The practice of using deception and trickery against human beings as a
method of attack.
Defense in depth The practice of providing security in multiple layers for more
comprehensive protection against attack.
11. • Methods of exercising control and management over an organization.
• Seeks to mitigate security risk.
• Turns a reactionary security culture into a proactive one.
• Supports business objectives to minimize cost and disruption.
• A major objective is compliance.
• Compliance assures that the organization operates within regulatory requirements.
Security Governance
12. • Strategic alignment of information security with business strategies to support
organizational objectives.
• Risk management by risk mitigation and reducing potential impact on resources.
• Resource management by use of information security knowledge and infrastructures.
• Performance measurement by evaluating, monitoring, and reporting information
security governance metrics to achieve objectives.
• Value delivery by optimizing information security investments that support
organizational objectives.
Governance Requirements
13. Security Goal Categories
Goal Description
Strategic • Align with business and information technology goals.
• Long horizon (3-5 years or more).
• Ex: establish security policies and ensure all users understand
responsibilities.
Tactical • Provide broad initiatives necessary to support goals of strategic plan.
• May consist of multiple projects.
• Usually 6-18 month time period.
• Ex: implement disaster recovery programs and customer relationship
management.
Operational • Specific short-term goals.
• Put tactical plan into practice.
• Ensure that individual projects are completed with milestones.
• Ex: perform project-wise risk assessment and development of security
policies.
14. Privacy Issues
• Personally identifiable information (PII) could be used to identify
an individual.
• Only a few pieces of information can expose a person’s identity.
• Criminals can use PII for extortion, fraud, or shaming.
• Ex:
• Names
• Social Security numbers
• Addresses
• Personal characteristics
• PII, once exposed, may not be “recoverable”.
15. Data Breach
• An incident that results in release or potential
exposure of secure information.
• Can be true test of legal compliance.
• If organization performs due care to comply with laws,
breach’s effects may be mitigated.
• Organization can also avoid severe legal penalties.
• Especially a concern with privacy laws, as many
breaches expose customer PII.
• Consequences for compliance failure are magnified
under a breach.
• Most laws require timely notification in the event of a
breach.
16. IT/Information Security Standard Description
PCI DSS • Specifies how organizations handle information security for major
card brands.
• Compliance validated on annual basis.
• Organizations or merchants that accept, transmit, or store
cardholder data from these brands must comply.
NIST SP 800 series • Various publications establish computer security standards,
including:
• SP 800-12: An Introduction to Computer Security: The NIST
Handbook
• SP 800-14: Generally Accepted Principles and Practices for
Securing Information Technology Systems
• SP 800-33: Underlying Technical Models for Information
Technology Security
• SP 800-53: Security and Privacy Controls in Federal Information
Systems and Organizations
Industry Standards (Slide 1 of 2)
17. Industry Standards (Slide 2 of 2)
IT/Information Security Standard Description
COBIT 5 Standards for IT management and governance, promoting five
principles:
• Meeting stakeholder needs.
• Covering the enterprise end-to-end.
• Applying a single, integrated framework.
• Enabling a holistic approach.
• Separating governance from management.
ISO/IEC 27001 Focuses on topics in information security management:
• Responsibilities and procedures.
• Reporting information security events.
• Reporting information security weaknesses.
• Assessment of and decision on information security events.
• Response to information security incidents.
• Learning from information security incidents.
• Collection of evidence.
18. • The organization’s principles, proper conduct, and system of moral values.
• Code of ethics helps professionals cooperate and pursue common goals.
• Code can guard against competitive pressures to act unscrupulously.
• Provides a guide for what other professionals will do.
The Purpose of Ethics
19. • Organizations often document ethical expectations.
• May also be bound by ethics outlined in laws and standards.
• Ethical codes can also minimize risk.
• Employees with a track record of ethical behavior can help organization avoid harm.
• Organizations are also responsible for acting ethically to their employees, customers,
and other stakeholders.
Organizational Ethics
20. • Lack of documentation creates organizational chaos.
• Documentation provides a framework for people to work together in achieving
organizational goals.
• Security documentation can also act as a road map to governance.
The Value of Security Documentation
21. Security Document Types
Security Document Type Description
Policy High-level statement of management intentions. Contains purpose, scope, and
compliance expected of every employee.
Example: Information security will ensure the protection of information by
implementing security best practices.
Standard Required implementation or use of tools.
Example: The corporation must implement 802.1x security for all wireless
networks.
Guideline Recommended or suggested action or best practice.
Example: When travelling with laptops, users should use safety precautions to
prevent laptop theft, damage, or data loss.
Procedure Step-by-step description of how to implement a system or process.
Example: Toimplement Secure Shell (SSH) on the router, enter the enable mode
and then enter the appropriate commands for the router.
Baseline Minimum security required for a system or process.
Example: Trivial File Transfer Protocol (TFTP) must be disabled in all servers except
for those specifically used for the TFTP service.
22. • Objectives that security policies can fulfill:
• Inform employees about their security-related duties and responsibilities.
• Define an organization’s security goals.
• Outline a computer system's security requirements.
• Objectives depend on the organization’s specific requirements.
• Policies should be long enough to explain but short enough to be understood.
• All employees should have access to the policy.
Security Policy Objectives
23. What Is Risk?
• Building damage
• Data loss
• Loss of productivity
• Loss of life
• Loss of equipment
• Access to system by malicious
individual
26. The Risk Analysis Process
Risk Analysis Process Phase Description
Asset identification and valuation Identifying assets that require protection and determining value of the
assets, including data, data systems, buildings, and employees.
Vulnerability identification Identifying vulnerabilities so analyst can confirm where problems exist.
Threat assessment Determining what threats may exploit identified vulnerabilities.
Risk assessment Assessing the probability that threats will exploit vulnerabilities. Can be
quantitative (numbers-based) or qualitative (words-based).
Financial impact evaluation Once probabilities are determined, evaluating potential financial impact
of risks.
27. • Comprehensively identify all assets in the organization.
• Waiting until it’s too late will make it harder to recover an asset.
• If you don’t identify an asset, you may not even know when it’s compromised.
• Describe assets in terms of:
• Basic characteristics.
• Value to the company.
• Use on a daily basis.
• Replaceability.
Asset Identification
28. • What effort was required to develop or obtain it?
• What does it cost to maintain and protect it?
• How much will we lose in operational functionality if the asset is misplaced or
damaged?
• What would it cost to replace it?
• What enemies might pay for it?
• What liability penalties might occur if the asset is compromised?
Asset Valuation
29. Asset Valuation Methods
Asset Valuation Method Description
Asset management system Contains a detailed record of corporate property and similar assets,
including facilities, furniture, computers, and other real property.
Accounting system Contains additional financial information about assets, such as
expensing the cost to develop software packages.
Insurance valuation Good source of asset valuation due to rigorous analysis of risk of
loss.
Qualitative valuation Narrative descriptions capture expert judgement about asset value.
30. Areas of Vulnerability
Vulnerability Area Example Threat and Risk
Physical structure Window accessibility in a room where secure information is stored can
expose vulnerabilities and create a venue for sudden intrusion threats.
Electrical Failure of a vulnerable electrical feed can threaten system data.
Software Worms, viruses, and Trojans threaten systems.
Network Unencrypted data on network can be vulnerable to interception and exploit.
Personnel Key trained personnel must be available to deal with critical events to avoid
corporate-wide vulnerabilities.
Hardware Losses due to theft and physical damage generate costs for replacement and
lost productivity.
Documentation If poorly written, can cause confusion and impair decision making.
Organization must protect integrity and confidentiality of sensitive
documentation.
Process Outdated or inefficient processes can impair business operations; poor
security processes weaken defenses and increase risk.
31. Identify Threats
Threat Type Description
Natural disasters • Earthquakes
• Wildfires
• Flooding
• Excessive snowfalls
• Tsunamis
• Hurricanes
• Tornados
• Landslides
Man-made disasters Intentional:
• Arson
• Terrorist attacks
• Political unrest
• Break-ins
• Theft of equipment and/or data
• Equipment damage
• File destruction
•Information disclosure
Unintentional:
• Employee mistakes
• Power outages
• Excessive employee illnesses or epidemics
• Information disclosure
33. • Likelihood: How likely is it that the threat occurs?
• Impact: What kind of damage will the threat cause?
Risk Assessment Determination Factors
34. Residual Risk
• Risk that remains even after controls are in
place.
• You can’t account for every risk, no matter
how hard you try.
• Some risks are not worth the cost of the
countermeasure.
• Identifying residual risk can help you assess
the effectiveness of your controls.
• The acceptable response to residual risk is
to have a solid disaster recovery plan.
• Controls gap is the amount of risk that
countermeasures do not cover.
• Expressed in percentages
• Correlates to residual risk
Controls gap = total risk – countermeasures
Controls
Inherent
Risk
Residual
Risk
35. • Not just simple pass-fail results or generating paperwork for an audit.
• Well-executed assessment determines validity and effectiveness of controls.
• Can expose strengths and weaknesses of current systems.
• Helps identify a plan for correcting weaknesses.
Monitoring and Measuring
36. • Ongoing effort to optimize policies and processes.
• A function of risk management.
• Includes best practices:
• Continuously seek to discover new vulnerabilities.
• Be context aware in your risk analysis.
• Prioritize your efforts to vulnerabilities
that actually pose a significant risk.
• Determine patchability.
Continuous Improvement
37. Threat Types (Slide 1 of 2)
Threat Type Description
Phishing and social
engineering
• Attackers use psychological tactics to manipulate victims into disclosing
information or performing an action that they shouldn’t.
• Phishing is the most common form.
• Uses email with malicious attachments or links.
Insider threat • Disgruntled employees and others with internal access.
• Use their access privilege or knowledge to steal data or damage systems.
• Can also be accidental/unintentional.
Malware • Any software intended to damage a computer system.
• Can be distributed through email, websites, file sharing, social media, even
legitimate published software.
• Includes viruses, worms, Trojans, keyloggers, rootkits, bootkits, ransomware,
spyware, etc.
Session Hijacking/
Man-in-the-
Middle
• Attacker takes over legitimate network connection, often after user has
authenticated.
38. Threat Types (Slide 2 of 2)
Threat Type Description
Denial of service • Any attack that consumes computer or network resources so the system
cannot service legitimate client requests.
• Can be conducted against:
• Network
• CPU
• RAM
• Disk space
• Maximum allowed connections
Unauthorized network
access
• Deliberate or accidental.
• Normal security controls are bypassed.
Injection and Cross-Site
commands
• Malicious commands hide inside normal browser activity.
• Includes command and SQL injection, XSS, and XSRF.
• E.g:
• <IMG SRC=javascript:alert(“XSS”)>
• Encoded <IMG SRC=javascript:alert("XSS")>
39. • Basic categories of remediation:
• Good security policy and management commitment to security.
• Fix vulnerable code.
• Properly configure systems.
• Change business processes.
• Improve security culture through training and awareness.
• Effective threat remediation involves all personnel working together.
• Implementing of technical controls and management of good business processes.
• Various security departments should coordinate in remediation efforts.
• Remediation policy should reflect risk tolerance.
• Strategies and controls should be consistently evaluated for their effectiveness.
Threat Remediation