18MBH202T – SOCIAL ENGINEERING

Unit 2 – KEY SECURITY

• Key Security – Concepts – Types of Key security Concepts – Cyber

security Position – The CIA Triad – the significance of incident

response and frameworks around cyber security – IT Governance –

Best Practices - Compliance

 Introduction
• The number of Internet clients has crossed 3.4 billion by the year 2016, in more than 200

nations, from Arctic to Antarctica as indicated by the report from the International

Telecommunication Union. Thus, individuals and organizations can reach any point on the

internet without any regard to national or geographic boundaries or time of day.

• Among the easy access to the information, there is some risk associated with that including

loss of valuable information, information getting stolen, altered or misused.

• If the information is available on computer networks, it‘s more vulnerable than if the

information is printed and locked in file locker.

• Intruders can steal the information even without entering an office or home, and also need not

be from the same country. Hence the importance of information security become more critical

to the owners.
 Basic Information Security Concepts
• Three basic information security concepts important to information are

Confidentiality, Integrity, and Availability. If we relate these concepts with

the people who use that information, then it will be authentication,

authorization, and non-repudiation.

• Information Security is such a broad discipline that it‘s easy to get lost in a

single area and lose perspective. Nevertheless, the classic definition of

information security is brief and simple: ‗Information security is the

confidentiality, integrity, and availability of information also referred as C-I-

A triad or information security triad.

CIA Triad
• Confidentiality is a set of rules that limits access to information,

• Integrity is the assurance that the information is trustworthy and

accurate, and

• Availability is a guarantee of reliable access to the information by

authorized people.
 Confidentiality
• When information is read or copied by someone not authorized to do so,

then it will be ―loss of confidentiality‖.

• For sensitive information, confidentiality is a very important criterion. Bank

account statements, personal information, credit card numbers, trade secrets,

government documents are some examples of sensitive information.

• This goal of the CIA triad emphasizes the need for information protection.

For example, confidentiality is maintained for a computer file, if authorized

users are able to view it, while unauthorized persons are blocked from

seeing it.
 Integrity
• Information can be corrupted or manipulated if it‘s available on an insecure network, and

is referred to as ―loss of integrity.‖ This means that unauthorized changes are made to

information, whether by human error or intentional tampering.

• Integrity is particularly important for critical safety and financial data used for activities

such as electronic funds transfers, air traffic control, and financial accounting.

• For example, banks are more concerned about the integrity of financial records, with

confidentiality having only second priority. Some bank account holders or depositors

leave ATM receipts unchecked and hanging around after withdrawing cash. This shows

that confidentiality does not have the highest priority. In the CIA triad, integrity is

maintained when the information remains unchanged during storage, transmission, and

usage not involving modification to the information.

 Availability
• Information can be erased or become inaccessible, resulting in ―loss of availability.‖ This

means that people who are authorized to get information are restricted from accessing.

Availability is often the most important attribute in service-oriented businesses that

depend on information. Denying access to information has become a very common

attack nowadays. Almost every week you can find news about high profile websites

being taken down by Denial of Service attacks. The CIA triad goal of availability is the

situation where information is available when and where it is rightly needed.

• Now let‘s take a look at other key terms in Information Security – Authorization,

Authentication, and Non repudiation processes and methods, which are some of the main

controls aimed at protecting the C-I-A triad

• To make information available or accessible/modifiable to those who need it and who can be

trusted with it (for accessing and modification), organizations use authentication and

authorization.

• Authentication is proving that a user is the person he or she claims to be. That proof may

involve something the user knows (such as a password), something the user has (such as a

―smartcard‖), or something about the user that proves the person‘s identity (such as a

fingerprint). Authorization is the act of determining whether a particular user (or computer

system) has the right to carry out a certain activity, such as reading a file or running a

program.

• Users must be authenticated before carrying out the activity they are authorized to perform.

Security is strong when the means of authentication cannot later be refuted—the user cannot

later deny that he or she performed the activity. This is known as non-repudiation.
 Cyber Security Incident Response - Definition

• Incident response is a term used to describe the process by which an

organization handles a data breach or cyberattack, including the way

the organization attempts to manage the consequences of the attack or

breach (the ―incident‖).

 Cyber Security Incident Response
• Incident response is an organized approach to addressing and managing the

aftermath of a security breach or cyberattack, also known as an IT incident,

computer incident or security incident.

• The goal is to handle the situation in a way that limits damage and reduces recovery

time and costs.

• Ideally, incident response activities are conducted by an organization's computer

security incident response team (CSIRT), a group that has been previously selected

to include information security and general IT staff as well as C-suite level

members. The team may also include representatives from the legal, human

resources and public relations departments.

• The incident response team follows the organization's incident response plan

(IRP), which is a set of written instructions that outline the organization's

response to network events, security incidents and confirmed breaches.

• Incident response is about making and having a flight plan before it is

necessary. Rather than being an IT-centric process, it is an overall business

function that helps ensure an organization can make quick decisions with

reliable information.

• Not only are technical staff from the IT and security departments involved,

so too are representatives from other core aspects of the business.

 Importance of incident response
• Any incident activity that is not properly contained and handled can, and usually

will, escalate into a bigger problem that can ultimately lead to a damaging data

breach, large expense or system collapse.

• Responding to an incident quickly will help an organization minimize losses,

mitigate exploited vulnerabilities, restore services and processes and reduce the risks

that future incidents pose.

• Incident response enables an organization to be prepared for both the known and

unknown and is a reliable method for identifying a security incident immediately

when it occurs. Incident response also allows an organization to establish a series of

best practices to stop an intrusion before it causes damage.

• Incident response is a crucial component of running a business, as most

organizations rely on sensitive information that would be detrimental if comprised.

• Incidents could range from simple malware infections to unencrypted employee

laptops that could have compromised login credentials and database leaks.

• Any of these incidents can have both short- and long-term effects that can impact the

success of the entire organization.

• Additionally, security incidents can be expensive as businesses could face regulatory

fines, legal fees and data recovery costs.

• It could also affect future profits as untreated incidents are correlated with lower

brand reputation, customer loyalty and customer satisfaction.

• While organizations cannot eradicate incidents completely,

incident response processes do help to minimize them.

• Emphasis should be placed on what can be done in advance to

brace for the impact of a security incident.

• While hackers will always continue to exist, a team can be

prepared to prevent and respond to their attacks.

• That is why having a functional, effective incident response

approach is important for all types of organizations.

 Types of security incidents
There are various types of security incidents and ways to classify them. What may be

considered an incident for one organization might not be as critical for another. The

following are a few examples of common incidents that can have a negative impact:

• A distributed denial of service (DDoS) attack against critical cloud services.

• A malware or ransomware infection that has encrypted critical business files across

the corporate network.

• A successful phishing attempt that has led to the exposure of personally identifiable

information (PII) of customers.

• An unencrypted laptop known to have sensitive customer records that has gone

missing
• Security incidents that would typically warrant the execution of formal

incident response procedures are considered both urgent and important.

• That is, they are urgent in nature and must be dealt with immediately and

they have an impact on important systems, information or areas of the

business.

• Another important aspect of understanding incident response is defining the

difference between threats and vulnerabilities.

• A threat is an indication or stimulus, such as a hacker or dishonest employee

that is looking to exploit a vulnerability for a malicious or financial gain.

• A vulnerability is a weakness in a computer system, business process

or user that can be easily exploited.

• Threats exploit vulnerabilities which, in turn, create business risk. The

potential consequences include unauthorized access to sensitive

information assets, identity theft, systems taken offline and legal and

compliance violations.
 Incident Response Plan
• An incident response plan should be set up to address a suspected data breach in a

series of phases. Within each phase, there are specific areas of need that should be

considered.

• The incident response phases are:

• Preparation

• Identification

• Containment

• Eradication

• Recovery

• Lessons Learned
 Preparation:

• Developing policies and procedures to follow in the event of a cyber

breach.

• This will include determining the exact composition of the response

team and the triggers to alert internal partners.

• Key to this process is effective training to respond to a breach and

documentation to record actions taken for later review.

• Questions to address
Has everyone been trained on security policies?

• Have your security policies and incident response plan been

approved by appropriate management?

• Does the Incident Response Team know their roles and the
required notifications to make?

• Have all Incident Response Team members participated in mock

drills?
 Identification:
• This is the process of detecting a breach and enabling a quick, focused

response.

• IT security teams identify breaches using various threat intelligence streams,

intrusion detection systems, and firewalls.

• Some people don't understand what threat intelligence is but it's critical to

protecting your company.

• Threat intelligence professionals analyze current cyber threat trends,

common tactics used by specific groups, and keep your company one step

ahead.
• Questions to address
When did the event happen?

• How was it discovered?

• Who discovered it?

• Have any other areas been impacted?

• What is the scope of the compromise?

• Does it affect operations?

• Has the source (point of entry) of the event been discovered?

 Containment:

• One of the first steps after identification is to contain the damage and

prevent further penetration.

• This can be accomplished by taking specific sub-networks offline and

relying on system backups to maintain operations.

• Your company will likely remain in a state of emergency until the

breach is contained.
• Questions to address
What‘s been done to contain the breach short term?
• What‘s been done to contain the breach long term?
• Has any discovered malware been quarantined from the rest of the
environment?
• What sort of backups are in place?
• Does your remote access require true multi-factor authentication?
• Have all access credentials been reviewed for legitimacy, hardened
and changed?
• Have you applied all recent security patches and updates?
 Eradication:

• This stage involves neutralizing the threat and restoring internal

systems to as close to their previous state as possible.

• This can involve secondary monitoring to ensure that affected systems

are no longer vulnerable to subsequent attack.

• Questions to address
Have artifacts/malware from the attacker been securely
removed?

• Has the system be hardened, patched, and updates applied?

• Can the system be re-imaged?

 Recovery:

• Security teams need to validate that all affected systems are no longer

compromised and can be returned to working condition.

• This also requires setting timelines to fully restore operations and

continued monitoring for any abnormal network activity.

• At this stage, it becomes possible to calculate the cost of the breach

and subsequent damage.

• Questions to address
When can systems be returned to production?
• Have systems been patched, hardened and tested?
• Can the system be restored from a trusted back-up?
• How long will the affected systems be monitored and what
will you look for when monitoring?
• What tools will ensure similar attacks will not reoccur? (File
integrity monitoring, intrusion detection/protection, etc)
 Lessons Learned:
• One of the most important and often overlooked stages.

• During this stage, the incident response team and partners meet to determine how to

improve future efforts.

• This can involve evaluating current policies and procedures, as well specific

decisions the team made during the incident.

• Final analysis should be condensed into a report and used for future training.

• Forcepoint can help your team analyze previous incidents and help improve your

response procedures. Protecting your organization requires a determined effort to

constantly learn and harden your network against malicious actors.

• Questions to address

• What changes need to be made to the security?

• How should employee be trained differently?

• What weakness did the breach exploit?

• How will you ensure a similar breach doesn‘t happen again?

 IT Governance

• IT governance (ITG) is defined as the processes that ensure the effective and

efficient use of IT in enabling an organization to achieve its goals.

• IT governance is an element of corporate governance, aimed at improving

the overall management of IT and deriving improved value from investment

in information and technology.

• IT governance frameworks enable organisations to manage their IT risks

effectively and ensure that the activities associated with information and

technology are aligned with their overall business objectives.

 Why is IT governance important?
IT governance enables an organisation to:

• Demonstrate measurable results against broader business strategies and goals;

• Meet relevant legal and regulatory obligations, such as those set out in the GDPR

(General Data Protection Regulation) or the Companies Act 2006;

• Assure stakeholders they can have confidence in your organisation's IT services;

• Facilitate an increase in the return on IT investment; and

• Comply with certain corporate governance or public listing rules or requirements.

Regardless of the level of formality, good governance should:

• Clearly link security activities to your organisation‘s goals and priorities

• Identify the individuals, at all levels, who are responsible for making

security decisions and empower them to do so

• Ensure accountability for decisions

• Ensure that feedback is provided to decision-makers on the impact of their

choices

• Any approach to security governance should fit into an organisation‘s wider

approach to governance. Security needs to be considered alongside other

business priorities, such as health and safety, or financial governance.

 IT governance frameworks, models and standards
• ISO 38500 – The international IT governance standard

• ISO/IEC 38500:2015 is the international standard for corporate governance of IT.

• It sets out principles, definitions and a high-level framework that organisations of all

types and sizes can use to better align their use of IT with Organisational decisions,

and meet their legal, regulatory and ethical obligations.

• As well as ISO 38500, there are numerous widely recognized, vendor-neutral

frameworks that organisations can use to implement an IT governance programme.

 The five domains of IT governance

• Value delivery

• Strategic alignment

• Performance management

• Resource management

• Risk management