Chapter 1

1.1 Security Problems

1) Lack of cybersecurity awareness among employees/users
- Not aware of dangers at online threats

2) Lack of security mindset among IT professionals

- Focused on functionality only

3) Insecure applications system

- Without implementing firewalls, anti-virus etc.
- Inter-connect with point no2

4) Misconfiguration
- Weak password, access problem

5) Increasing number of insecure network devices

- Hack devices that connect to the network → get connection with the network
== easy to hack the network.

6) Attack techniques are getting more sophisticated

1.2 Computer security

The protection afforded to an automated information system in order to attain
applicable objectives of preserving the integrity, availability and confidentiality of
information system resources.

Security goals triads (CIA)

- Confidentiality
- Integrity
- Availability

Six Principles of security

Confidentiality
- Sender and recipient(s) are able to access the content of a message.
- Compromised (exposed to suspicion): unauthorized person can access the
message.
- Example of attack: interception.

Authentication
- Help establish proof of identities. (User)
- Ensures that the origin of email or document is correctly identified. (Data)
 - Compromised: fabrication.

Integrity
- Meaning: Data not been changed during transmission.
- Example of attack: modification.

Non-Repudiation
- User denying or repudiating sending messages to recipients.
- Defeats the possibility of denying smtg after having done it.

Access Control
- Determines who should be able to access what.
- Role Managements: User side
- Rule Managements: Resources side

Availability
- Resources available to authorized parties at all times
- Example of attack: Denial of Service (DoS) attack

1.3.1 Vulnerabilities
- State of being exposed to the possibility of being attacked

Platforms
- System that consists of the hardware device and operating system that runs
software.
- Example of platforms:
a. Legacy platform: no longer in used/outdated
b. On-premises platforms: limited to the premise only.
c. Cloud platform

Configurations
- Features and security settings that must be properly configured to repel
attacks.

Third Parties
- Having third parties to assist in providing services → access organization
company network
- Security of the third party ↓ provides an opening for attackers.

Patches
- Version that is released by the developer to repair a vulnerability
a. Difficulty patching firmware
b. Few patches for application software
 c. Delays in patching OS

Zero Day
- Vulnerabilities that can be exploited by attackers before anyone else knows it
exists.
- No one knows there is such a loophole.
1.3.2 Threats
- Potentially dangerous event that has not occurred but has the potential to cause damages if it does.
- Threat Actors: individual or entities responsible for cyber incidents

Actors Script Kiddies Hacktivists State Actors / Nation Insiders Cybercriminals

State Actors

Information - Lack the technical - Strongly motivated - 国家的hacker for - Come from its own - Long-term, global,
knowledge by ideology launching employees common threat.
cyberattacks
- Attack not always - E.g. breaking a against their foes. - Manipulation data - Individual or in
successful website and from a trusted groups to achieve
changing its - Causing financial employee their purposes
contents harm or damage to
the enterprise's
reputation

- Target highly
sensitive economic

Motivation - Curiosity - Political, social, - Espionage (crime of - Financial gain or to - Financial gain or
ideological spying), political, seek revenge reputation
economic enhancement

Affiliation – - Non-governmental - Nation-state or - Employee, partner - Individuals or with

individual / organization with who has collaborators
organization nation-state ties authorized access
Common – - DDoS attack, - Remote access - Data exfiltration or - Phishing, social
TTPs doxing, website trojans, malware, privilege misuse engineering,
defacements spear-phishing malware,
password attacks ransomware.

1.3.3 Attack

Passive Attack
- Does not affect system resources.
- Eavesdropping on, on monitoring data transmission
- Two type of passive attacks (interception):
a. Release of message contents
b. Traffic analysis

Active Attack
- Alter system resources.
- Involve modification of the data stream
- Three categories:
a. Fabrication (Masquerade)
b. Modification (Replay Attack)
c. Interruption (DoS attack)
Attack Vectors
- Pathway or avenue used by a threat actor to penetrate a system.
- Categories:
1) Email (hyperlinks)
2) Wireless (Intercepted and read or altered)
3) Removable Media (USE flash drive)
4) Direct Access (physically such as “touch” the machine)
5) Social Media (instagram post)
6) Supply Chain (third-party vulnerabilities)
7) Cloud

1.4 Security Functional Requirements

- Access control
- Data integrity
- Authentication
- Wrong password Lockouts

1.6 Computer Security Strategy

- Zero trust implies, never trust, always verify.
- Information security policy:
a. Network Security Policy
b. Workstation Policy (lock unattended, password usage, antivirus,
patching)
c. Acceptable Use Policy (acceptable/unacceptable Internet browsing,
email use, usage of social networking)
d. Clean Desk Policy (may have sensitive notes laying on a desk)
e. Remote Access Policy (VPN)
f. Password Policy (60 days to change password, Strong password)
g. Account Management Policy (Create and administration, staff resign →
remove accounts)
h. Email Security Policy (rules of sending, receiving or storing of email <at
attachment>)
i. Log Management Policy (Log file)
j. Security Incident Management Policy (reporting and responding to
incidents)
k. Personal Device Acceptable Use and Security (BYOD) Policy
l. Patch Management Policy (Security vulnerabilities)
m. Server Security Policy (Configuration & technology resources)
n. System Monitoring and Auditing Policy (inappropriate actions have
occurred)
Chapter 2
Malware == computer contaminant
Modify, damage, destroy, record, or transmit information - without intent or
permission of the owner.

Imprison
- Take away the freedom from the user
- Type: ransomware / cryptomalware
- Ransomware: lock user data – embed itself onto the computer (reboot also no
use) - resided in bios – until a fee/ransom is paid
- Cryptomalware: encrypts all the files on the device – use the resources to
mine cryptocurrency – cost of key increases every few hours or days

Launch
- Launch attacks on other computer
- Example: worm, virus, bot

Virus
- File-based virus vs Fileless virus
- File-based virus: malicious code that attached to a file
- Replicates itself without human intervention
- Appender infection – virus attaches to the end of the file → insert instruction
that points to the end at the beginning of the file → program launched, jump
instruction redirects to the virus.
- Armored file-based virus:
➢ split infection – split malicious code into several part → at random
positions
➢ mutation – has a set of predefined mutations to fool malware scanners
- Each time the infected program is launched/data file is opened:
1. Unloads a payload
2. Reproduces itself
3. Spread with the help of user (cannot automatically spread to another
computer – rely on user’s action)
- Fileless virus – Native services (run by OS) called as living-off-the-land
binaries (LOLBins) – Loaded directly in the computer random access
memory (RAM) thru LOLBins
- Advantages:
1. Easy to inflect – thru malicious webpage (silently send a script)
2. Extensive control – full access to the core OS (high executing power)
3. Persistent – not remove after reboot (write script into Windows
Registry)
4. Difficult to detect – anti malware DO NOT scan RAM
 5. Difficult to defend against

Worm
- Use computer network to replicate
- Exploited the vulnerability on one system → search for the next computer that
has the same vulnerability.

Bot
- Allow the attacker to remote control on the infected computer.
- Infected computer – bot / zombie
- Bot + bot + … = botnet (control by bot herder)
- Received instruction thru command and control (C&C) structure

Snoop
- Type: spyware & keylogger
- Spyware: Collection information without user’s approval
- Keylogger: capture and store KEYSTROKE. (can be software or hardware)
- Can also capture user screen + record image using webcam
- Hardware keylogger: not easily detected BUT must install and remove the
device physically

Deceive
- Deceive the user and hide its true intentions
- Example: Potentially unwanted program (PuP), Trojan, remote access Torjans
(RATs)
- PuPs – pre-installed software on new device – cannot be easily removed
- Trojans – executable program masquerades as performing a benign(not
dangerous) activity
- RAT – same as trojan but gives unauthorized remote access to attackers.

Evade
- Avoid detection
- Example: backdoor, logic bomb, rootkit
- Backdoor – circumvents any normal security protection (might be
unintentionally)
- Logic bomb – computer code that triggers at specific logical event (lies
dormant and evades detection)
- Rootkit
- hide its presence and other malware
- Collect user IDs and password – give root or privileged access to
hacker
- Can change the config on the host machine
2.2 Countermeasure to prevent malware attack
1) Developing security policies
- Companies cyber security strategy
1. Social engineering awareness policy
2. Server malware protection policy – install anti-malware on server
3. Software installation policy – only allowed licensed software
4. Removable media policy – minimize use of removable media

2) Implementing security awareness training

- Prevent massive losses to cyber attacks.
1. Baseline Testing - likelihood that a user fall for phishing attack
2. Training Users – educate user latest social engineering attacks
3. Phishing results – simulated phishing attacks
4. Reporting results – stats and graphs for training and phishing
activities

3) Using App-Based multi factor authentication

4) Installing anti-malware & spam filters

5) Changing Default operating systems policies

- Password policy – password history from 10 → 24 + max password age 90
days → 42 days

6) Perform Routine Vulnerability Assessments

- To identify known vulnerabilities
- Implement a patch management program
Chapter 3
3.1 Three elements of IS security
1) Logical security - protect computer data
- Protect computer based data from software-based and communication-based
threat

2) Physical security - protect system & access

- Aka infrastructure security
- Protect the IS (not only data but entire system)
- Prevent any type of physical access

3) Premises security - protect people & property

- Aka facilities security
- Protect the People and property
- Environment protection or perimeter security, access control

3.2 Physical security

● Prevent damage to physical infrastructure → hardware, physical facility,
support facilities and personnel
● Prevent physical infrastructure misuse → include vandalism & theft

3.3 Physical Security threats

● Potential that result in loss or physical damage to computer system
● Internal: inside the building where the IS located
● External: outside IS is located
● Humans: including theft, vandalism

3.5 Recovery from Physical Security Breaches

● Redundancy – to have many copies of backup
○ Important data should be available off-site updated as often as possible
○ Encrypt backup data
○ Remote hot-site is ready to take over operation instantly
● Disaster recovery specialist to do the cleanup

3.6 Integration of Physical and Logical

● Visual (VIS) – Visual identity verification of a PIV card is done by a human
guard.
● Cardholder unique identifier (CHUID) – PIV card data object.
● Biometric (BIO) – Authentication done by fingerprint or retina.
● Attended Biometric (BIO-A) – A guard that looks at you when scanning
fingerprints. (same as BIO)
● PIV authentication key (PKI) – cryptography-based authentication + need to
enter a PIN
● Card authentication key (CAK) – an optional card that may be present on any
PIV card. do not require PIN entry

● Unrestricted Area – outside the fence or walls of the facility

● Controlled Area – inside the fence or front door
● Limited Area – past a security checkpoint for employees
● Exclusion Area – secure areas granted to individual
Chapter 4
4.2 Threats and common attacks

1) Network Packet Sniffers

● Network packets – informations will be broken into smaller pieces
● Packet sniffer is a software application – use a network adapter card to
capture all network packets that are sent across a local network.
● Use networked databases → provide an attack with information that is
queried from the database + acc names and passwords
● Example: wireshark

2) IP Spoofing and Denial-of-Service Attack

○ Attacker outside your network pretends to be a TRUSTED
COMPUTER (fake IP)
○ Limited to the injection of data or commands into an existing stream
(established connection).
○ Change all routing tables to point to the spoofed IP address.
○ DoS: attacker send TCP SYN → host return SYN-ACK (waiting state)
→ attacker doesn’t respond → host can’t respond to other legitimate
requests.

3) Password attacks
○ Brute-force: try all possible pw exhaustively
○ Trojan horse program: spying
○ IP spoofing: faking IP address
○ Create backdoor for future access if the account has sufficient
privileges

4) Distribution of sensitive internal information to external sources

○ Outsider – password and IP spoofing
○ Internal user – external computer or share a drive on the network

5) Man-in-the-Middle Attack
○ Might change data stream
○ Requires the attacker has access to the network packets
○ Possible uses: theft of information, corruption of transmitted data, DoS
4.3 Defense Mechanism

1) Malware scanners
● Prevent malware from infecting a system.
● Match with any signature from a list of all known malware definition
○ File sizes
○ .dat file
● Malware-like behavior
○ Manipulating the Registry

2) Firewalls
○ Barrier between two computers/computer systems/networks.
○ Filter incoming packets based on – packet size, source IP address,
protocol, destination port
○ Benefits:
i) Block certain traffic based on a set of rules
ii) Prevent DoS attack (stateful packet inspection)
○ Limitation
i) Cannot block user from downloading Trojan horse
ii) Cannot stop internal attacks
○ Stateless Packet Filtering
i) Check protocol, port, IP address of packet whether is it blocked
by the firewall
ii) Each packet is treated as a singular event (without referring to
the previous conversation)
○ Stateful Packet Filtering
i) Record and check in future
ii) Examine each packet and deny or permit access based not only
on the rules of the firewall, but also on data derived from
previous packets.
iii) Less susceptible to ping floods, SYN floods, and spoofing
iv) same source IP send thousands packets continuously →
assume as DoS attack → block the packets.
○ Application Gateways (application proxy)
i) Programs that runs on a firewall （帮助隐藏client的details）
ii) Act on behalf of the client, hiding and protecting individual
computers
iii) Two connection:
(1) Client to proxy server
(2) Proxy server to destination
3) Antispyware
○ Check against a list of known spyware

4) IDSs
○ Inspects all inbound and outbound port activity (Instead of packet,
check port)

Passive IDS Active IDSs or IPS

Monitor suspicious activity Monitor suspicious activity

and logs it and log it then shut down the
suspicious communication.

No false positive May have false positives.

5) Digital certificates
○ Asymmetric encryption
○ Contain user’s public key along with other information
○ Authenticate the holder of the certificate
○ Consists of:
i) Owner’s Public Key
ii) Owner’s Distinguished name
iii) CA’s Distinguished name

6) SSl/TLS – traffic between a web browser and the web server is encrypted

7) Virtual Private Networks (VPNs)

○ Create a virtual connection between remove user or site and a central
location
○ Benefits:
i) Distinguish data traffic
ii) Encrypts data
iii) Hides user’s IP address
Chapter 5

Cryptography – a practice of transforming information so that it cannot be

understood by unauthorized parties. (scrambling the information)

Plaintext: unencrypted data (input of encryption / output of decryption)

Ciphertext: The scrambled and unreadable text (output of encryption)
Cleartext: unencrypted data that is not intended to be encrypted.
Cipher: cryptography algorithms – based on mathematical formula

Key elements of effective cryptosystem:

1. Must be reversible
2. Secrecy and length of the key (the longer the key, makes it impossible to
brute force within a reasonable time)
3. Subjected to substantial cryptanalysis

Cryptanalysis: any method employed to break a cipher or code (mathematical

analysis)

Cipher categories
Substitution cipher – exchange character for another
- Caesar cipher: choose some number to shift each letter (easily bypass by
brute-force cryptanalysis)
- ROT13: entire alphabet is rotated 13 steps

XOR cipher – based on the eXclusive OR binary operation

Cryptography use cases

1. Confidentiality – authorized parties (with key) can view the message
2. Integrity – no unauthorized people or software has altered that data
3. Authentication
4. Non-repudiation – digital signature → Verifiable with sender's public key
5. Obfuscation – making something obscure or unclear

5.2 Cryptographic Algorithms

Block cipher – plaintext into ciphertext in fixed-size blocks
Stream cipher – encrypts a continuous string of binary digits
– encryption is done 1 bit at a time – generate ciphertext for arbitrary
lengths of plaintext messages.
Hash Algorithms
Result: digest
Purpose: comparison + verify that the original contents of an item have not been
changed

Characteristics –
● Fixed size
● Unique
● Original
● Secure

Common Hash Algorithms

Message Digest
- check the integrity of files
- MD5 – 32 digit hexadecimal number
- Might cause collision
- computable within a feasible timeline (not like 10 million years)

Secure Hash Algorithm (SHA)

Hashing Message Authentication Code (HMAC)

- To detect intentional alterations in a message
5.3 Symmetric Encryption

- Use the same key to encrypt and decrypt

- Encrypt and decrypt fast
- Strength of the scheme
a. Size of the key
b. Keeping it secret
Key Distribution
1. Session Key – during the logical connection, data is encrypted with a one time
session key.
2. Permanent Key – used to request for session keys
3. Key distribution Center (KDC) – trusted third party to distribute session key
4. Security Service module – obtains session keys on behalf of users
5.4 Asymmetric Encryption

Key pairs: a pair of key (public key and private key)

Public key: freely given to anyone
Private key: must be kept confidential

RSA Elliptic Curve Cryptography (ECC)

Multiple two large prime numbers (prime Sloping curves

factorization)

Key size larger Key size smaller

Encrypt slower Encrypt faster

Higher power consumption Lower power consumption

Digital Signature Algorithm (DSA)
BOB (enc with pub Key of Alice) -----> ALICE (dec with own Pri Key) (asymmetric
encryption)
1) Verify the sender
2) Prevent the sender from disowning the message
3) Prove the integrity of the message

Step 1: Bob create memo + digest

Step 2: encrypt digest with own private key (digital signature of the memo)
Step 3: send both memo and DS to Alice
Step 4: Alice decrypts DS using Bob’s public key. (if cannot decrypt == it is not from
Bob)
Step 5: hashes the memo with the same hash algorithm + compare the results.
Chapter 6
User authentication
❖ Fundamental building block and primary line of defense
❖ User accountability (someone need to be responsible when smtg went wrong)
❖ Two steps – Identification step (user ID) & verification step (Password)

Four means of authenticating user identify are based on:

● Something the individual knows
● Something the individual possesses (token)
● Something the individual is (static biometrics)
● Something the individual does (dynamic biometrics)

Challenges of Password Authentication

● Memorize & recall long and complex password
● Remember different passwords for many accounts.
● Unique password for different accounts
● Repeatedly memorize new passwords.

Attacks of Password
Pass the Hash attack – use a stolen hash to impersonate the user
Password cracker – create candidates with commonly used passwords compare
with the list of stolen digest

Password Spraying – select common passwords & test on several user accounts
(try N error)

Brute Force Attack

- Every possible combination of letters, numbers and characters is attempted
exhaustively.
- Same account is continuously attacked

Rule attack
- conducts a statistical analysis on the stolen password
- Create a mask of the format of the candidate password
Dictionary Attack
- Creating digest of common dictionary words and compare with stolen digest

Rainbow Tables
- Large pregenerated data set of candidate digests
- Required significant amount of time
- Advantages:
1. Repeatedly for attacks on other passwords
2. Much faster than dictionary attacks
3. Amount of memory needed is reduced.

Password Collections
- Broke into a server and get passwords (cleartext) which serve as the
candidate password
- Foundation of password cracking

Token-based Authentication

Specialized Devices
Smart cards
● Credit-card-sized plastic card that can hold information to be used in
authentication process
● Disadvantages:
○ Must have specialized hardware reader and device driver software
○ Skimming – capture the information from the magnetic strip

Windowed Token
● Display one-time password (OTP)
● Two types of OTPs
○ Time-based one-time password (TOTP) – changes after a set period of
time
 ○ HMAC-based one-time password (HOTP) – event driven and changes
when a specific event occurs.

Smartphones
- Phone Call
○ Automated phone call to smartphone → whether requested to log in →
press digit on keypad for approval or to decline

- SMS Text Message

- Authentication App

Disadvantages of using smartphone

1. OTP can be “phished”
2. SMS can be intercepted
3. Malware infection on the phone can target the authentication app

Security Key
- Dongle that is inserted into the USB port
- Attestation – key pair that is “burned” into the security key
- Advantages: do not transmit OTPs that can be intercepted or phished
- Disadvantages: can be stolen by someone

Biometric Authentication

Physiological biometrics
Biometric Scanner
1) Retina scanner – the amount of reflections & form pattern (comparison)
2) Fingerprint scanner
3) Vein Scanner
4) Gait recognition (dynamic biometrics) – walking style

Standard Input Devices

1) Voice Recognition (dynamic biometrics)
2) Iris scanner
3) Facial Recognition

Disadvantage
- Cost of devices/scanner (expensive)
- Not foolproof
- Can be tricked
- Concern with the efficacy rate (efficiency vs security lvl)
Remote User Authentication
- Take places over the Internet, network or a communication link
Access Control
- Implement a security policy that specifies who or what may have access to
each resources and the type of access that is permitted
- Authentication function – whether the user is permitted to access the system
- Access control function – specific requested access by the user is permitted
- Auditing function – monitors and keep a record of user accesses to resources

Discretionary Access Control (DAC)

- Access control matrix: list subject (rows) and object (columns) in 2 dimension

ABAC
- provide permission to specific target for specific time frame
Chapter 7
Formal process of answering the questions:
- What assets need to be protected
- How are those assets threatened
- What can be done to counter those threats

IT Security Management: process to maintain levels of confidentiality, integrity,

availability, accountability, authenticity and reliability (CIA + AAR)

Model process for managing information security:

1) Plan – establish security policy, objective, processes and procedures
2) Do – implement the risk treatment plan
3) Check – monitor and maintain the risk treatment plan
4) Act – maintain and improve the information security risk management
7.4 Security Risk Assessment
Asset – system resources of capability of value to its owner
Threat – potential to exploit a vulnerability
Vulnerability – flaw or weakness
Risk – potential for loss
Risk Likelihood
- Rare
- Unlikely
- Possible
- Likely
- Almost Certain

Risk Consequence
- Insignificant
- Minor
- Moderate
- Major
- Catastrophic
- Doomsday

Risk Treatment Alternative

● Risk acceptance
● Risk avoidance
● Risk transfer – e.g. buying insurances
● Reduce consequence – changing internal processes
● Reduce likelihood – e.g. antivirus
7.3 Security Risk Assessment

Description Advantages Disadvantages Suitable

organization

Baseline ● Basic general level of ● Cheap ● Not based on ● small

Approach security organization’s risk
● Very general → can exposure (not
● Generally agreed be replicated on specialized)
controls to provide other system
protection against ● Baseline lvl might too
most common high/low assessment
threats

Informal ● Doesn’t use ● Perform quickly and ● Result may be ● small-medium

Approach structured process, cheaply skewed(biased) →
but exploits the not justifying the ● IT systems
knowledge and ● Analyze the proposed are not
expertise of the organization system expenditure necessarily
individual performing → More accurate essential
this analysis and targeted controls

● Suitable for
small-medium
organization where
IT systems are not
necessarily essential
Detail Risk ● Detailed risk
Approach assessment of the
organization's IT
systems, using a
formal structured
process
Combine ● Provide reasonable
Approach levels of protection
Step 1: implement
baseline security + identify
systems that exposed to
high risk levels
Step 2: informal risk
assessment on key
systems
Step 3: perform detailed
risk analyses
● More details ● More cost in time, ● large
examination resources and
expertise needed ● IT systems
● Provide strong critical to their
justification ● Might delays in objectives
providing suitable
● Future levels of protection
enhancement or
maintenance
● Easier to convince ● Initial high-level
management analysis is inaccurate
→ remain vulnerable
● Ensure that a basic
level of security
protection is
implemented
● Cost effective
Chapter 8

Control – a procedure that reduces risk by eliminating or preventing a security

violation by minimizing the harm it can cause, or by discovering and reporting it to
enable corrective action.

Security Control – a safeguard or countermeasure employed within an

organizational information system to protect the confidentiality, integrity and
availability – limit the information system’s exposure to a danger.

Control Classes

Management controls
- Security policies, planning, guidelines and standards on reducing the risk and
protecting organization’s mission

Operational controls
- Mechanisms and procedures that are primarily implemented by people rather
than systems

Technical controls
- Involve the correct use of hardware and software security capabilities in
systems
8.2 Security Risk Assessment
Deterrent controls – discourage security violations (warning)
Preventive controls – prevent the threat (firewall)
Physical controls – defined structure and location
Detective controls – identify any threat
Compensating controls – alternative to normal control (plan B, if plan A can’t use)
Corrective controls – mitigate or lessen the damage caused by incident

Control changes from time to time … due to technological advancement (new

hardware & software + new procedures)

Inherent risk → current risk level given the existing set of controls.
Residual risk → risk level after additional controls are applied.

❌
Goal of security:

✔️
eliminate all risk
achieving an acceptable level of risk and expenses while minimizing losses
8.3 IT Security Plan
Provide details of:
- What will be done
- What resources are needed
- Who is responsible

Goal – detail the actions needed → improve the identified deficiencies

8.4 Implementation Plan

Security Plan Implementation
IT security plan documents:
- Personnel responsible
- What needs to be done for each selected control

Identified personnel
- Implement new or enhanced controls
- May need system configuration changes, upgrades or new system installation

When implementation is completed, management authorizes the system for

operational use

Organizational security officer check:

- Costs and resources used are not more than allocated
- Check is risk level has reduced or not
 - Control are operated & administered

Security Training awareness

- Responsible personnel need training (specific training how to execute security
plan)
- On details of design and implementation
- Awareness of operational procedures
- Need general awareness (general training for all)
- Spanning all levels in organization
- Essential to meet security objectives
- Lack leads to poor practices reducing security

8.5 Implementation Follow Up

Security management is a cyclic process
- Constantly repeated to respond to changes in the IT systems and the risk
environment

Maintenance
- Need continued maintenance and monitoring of implemented controls

Security Compliance
● Audit process to review security processes
● Checklist:
○ Suitable policies and plans were created
○ Suitable selection of controls were chosen
○ System are maintained and used correctly

Change and Configuration

Incident Handling
● Procedure – how to respond to a security incident
● Codify action to avoid panic (have a systematic process)
Type of security incident:
● Unauthorized access
● unauthorized modification

Detecting Incident

Responding to Incident
● Need to documented response procedures
○ Identify cause of the security incident
○ Describe action taken to recover
● Procedures should
○ Identify typical categories of incidents
○ Approach taken to respond
○ Making critical decision
○ Whether report incident to police/CERT etc

Documenting Incidents