Term 1, 2023

INFS1701 Networking & Security

INFS3617 Networking & Cyber Security

Week 07 The People, Processes, and Technology of Cyber

Security (II)

Lecturer-in-Charge: Dr. Henry KF Cheung (kf.cheung@unsw.edu.au)

2

Copyright Notice
3

Copyright

• There are some file-sharing websites that specialise in buying and selling academic work to
and from university students.

• If you upload your original work to these websites, and if another student downloads
and presents it as their own either wholly or partially, you might be found guilty of collusion —
even years after graduation.

• These file-sharing websites may also accept purchase of course materials, such as copies
of lecture slides and tutorial handouts. By law, the copyright on course materials, developed by
UNSW staff in the course of their employment, belongs to UNSW. It constitutes copyright
infringement, if not academic misconduct, to trade these materials.
4

Country
Acknowledgement of Country

UNSW Business School acknowledges the Bidjigal

(Kensington campus) and Gadigal (City campus)
the traditional custodians of the lands where each
campus is located.

We acknowledge all Aboriginal and Torres Strait

Islander Elders, past and present and their
communities who have shared and practiced their
teachings over thousands of years including
business practices.

We recognize Aboriginal and Torres Strait Islander

people’s ongoing leadership and contributions,
including to business, education and industry. UNSW Business School. (2022, August 18). Acknowledgement of Country [online video].
Retrieved from https://vimeo.com/369229957/d995d8087f
5
Week 7 Journey

What we will learn today:

1. Recap of CIA

2. Security Controls and Assessments

3. Incident Response

6
 7

Confidentiality, Integrity and Availability (CIA)

Confidentiality, Integrity and Availability (CIA)

Information system-related
security risks are those risks that
arise from the loss of
confidentiality, integrity, or
availability of information or
information systems and reflect
the potential adverse impacts
Confidentiality, Integrity and Availability (CIA)

Managing cyber risks is about:

Protecting the confidentiality of data

No unauthorized access to information is permitted and that accidental
disclosure of sensitive information is not possible

Preserving the integrity of data

Keep data pure and trustworthy by protecting system data from intentional and
accidental changes

Preserving the availability of data for authorized use

Keep data and resources available for authorized use
How to Compromise CIA

Confidentiality, e.g., MITM attack Integrity, e.g., MITM attack

Availability, e.g., DDoS attack

Types of Attacks

Attacks can be characterized according to intent

• A passive attack attempts to learn or make use of information from

the system but does not affect system resources

• An active attack attempts to alter system resources or affect their

operation
Types of Attacks – Passive Attacks

• The goal is to obtain information

• Example?
• Difficult to detect because they leave little traces!

Prevention is more important

 Types of Attacks – Active Attacks

• Involves some modification – for

example denial of service,
modification of data
• Authentication can protect
against falsification of data
• Authentication checks against:
the content of the
communication, the source is
authentic, timeliness and
sequence
Attack Routine

Vulnerability
Threat Actor
(i.e., the target)
Controls
Threat Threat Action
Consequences (i.e., an attack)
 15

Cyber Security Controls

Categories of Security Controls

Controls can be broadly put into three categories, depending on their

purpose and at what stage of a security incident they are applicable
• Preventive: Prevent a security incident from occurring
• Detective: Identify, classify and contain an incident
• Corrective: Recover and minimize the damage caused by an incident
Categories of Security Controls

Controls can also be classified based on the nature of the controls

• Physical: Refers to things such as alarm systems, surveillance cameras, locks, ID
cards, and security guards
• Technical: Refers to items such as smart cards, access control lists (ACLs),
encryption, and network authentication
• Administrative: Refers to various policies and procedures, security awareness
training, contingency planning, and disaster recovery plans (DRPs)
• Two subsections of this category:
– Procedural controls
– Legal/regulatory controls
Categories of Security Controls

Mapping of NIST Special Publication 800-53, Revision 5, Security and

Privacy Controls for Information Systems and Organisations to NIST
Cybersecurity Framework

https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-
5/final/documents/csf-pf-to-sp800-53r5-mappings.xlsx
NIST SP 800-53 Rev. 5

Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

New controls are developed on a regular basis

ISO/IEC 27001/27002 Controls List

Source: https://www.itgovernanceusa.com/iso27002
Categories of Security Controls

Mapping of NIST SP 800-53, Revision 5, Security and Privacy Controls for Information
Systems and Organisations to ISO/IEC 27001:2013, Information technology–Security
techniques–Information security management systems–Requirement
https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-
5/final/documents/sp800-53r5-to-iso-27001-mapping.docx
 22

Detection and Response

(Shared by ParaFlare)
Questions

Source: petcare.com.au
Reference

NIST Special Publication 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

The ISO 27002 Standard - Code of practice for information security controls
https://www.itgovernanceusa.com/iso27002

24