Chapter 3 Security Principles

Instructor Materials
Chapter 1: Cybersecurity
and the Security
Operations Center
Cybersecurity Operations
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Chapter 3: Security
Principles
Cybersecurity Operations - SECFND
Chapter 3 - Sections & Objectives
 3.1 The Principles of Defense-in-Depth Strategy
 3.2 What are Threats, Vulnerabilities and Exploits
 3.3 Confidentiality, Integrity and Availability: The CIA Triad
 3.4 Risk and Risk Analysis
 3.5 Personally Identifiable Information and Protected Health
Information
 3.6 Principles of Least Privilege and Separation of Duties
 3.7 Security Operation Centers
 3.8 Forensics
3.1 The Principles of the
Defense in Depth Strategy
Security Principles
The Principle of Defense in Depth Strategy
 A layered or cross boundary is “defense-in-depth” is what is
needed to protect corporate assets
Defense-in-Depth
Security Principles
 Sometime Onion diagram can be used to illustrate Defense-
in-Depth concept
Security Principles
 Security can also be viewed as Reactive or Proactive
Threat, Vulnerabilities and Exploits
Vulnerabilities
 A vulnerability is an exploitable weakness in a system or its
design
 Vulnerabilities can exist in:
• Protocols, operating systems, applications, hardware, and system
design
 Some examples of vulnerabilities include:
• SQL injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Cryptographic vulnerabilities
• Buffer overflows
 Common Vulnerabilities and Exposure (CVE) is an industry
standard used to identify vulnerabilities.
 Mitre maintains the CVE list (http://cve.mitre.org)
Threat
 A threat is any potential danger to an asset
 A malicious actor takes advantage of a vulnerability
 Threat agent or vector is the path used by the actor to attack
 A countermeasure is a safeguard that mitigates potential risk
 Threat Actors are individuals (or group of individuals) who
perform an attack
• Script kiddies
• Organized crime group
• State sponsors and government
• Hacktivists
• Terrorists groups
Threat Intelligence
 Threat intelligence is referred to as the knowledge about an
existing or emerging threat to assets
 It include context, mechanisms, indicators of compromise
(IoCs), implications and actionable advice
 Five steps for evaluating threat intelligence sources are:
Threat Intelligence
 Threat intelligence feed examples are
• Cyber Squad Threat Connect
• BAE Detica CyberReveal
• Lockheed Martin Palisade
• MITRE CRITs
• Cisco AMP Threat Grid
 Threat intelligence information dissemination standards are:
• Structured Threat Information eXpression (STIX)
• Trusted Automated eXchange of Indicator Information (TAXII)
• Cyber Observable eXpression (CybOX)
• Open Indicator of Compromise (OpenIOC)
Exploits
 An exploit is a software or sequence of commands that takes
advantage of a vulnerability in order to cause harm to a
system or network
 Exploit can be categorized as
• Remote – can be launched over the network
• Local – require the attacker to have prior access to the vulnerable
system
 Exploits are also named by the vulnerability they exploit
 Examples of known exploit kits are:
• Angler Blackhole
• Mpack Crimepack
• Fiesta RIG
• Phoenix
CIA
Confidentiality, Integrity and Availability
 The CIA Traid was created to define security policies
 Confidentiality
• This is the property that information is not made available or disclosed to
unauthorized individuals
 Integrity
• This is the ability to ensure that a system and its data has not been
altered or compromised
 Availability
• Refers that a system or application must be “available” to authorized
users at all times
• A common example of an attack that impacts availability is denial of
service (DOS) attack
Risk
Risk and Risk Analysis
 Cybersecurity Risk can be defined as the possibility of a
security incident (something bad) happening
 FFIEC developed the Cybersecurity Assessment Tool that can
be used to evaluate organization. The assessment consist of
two parts
• Inherent Risk Profile and Cybersecurity Maturity
• The International Organization for Standardization (ISO) 27001
 ISO Standard recommend a continual process, some iterative:
• Establish the risk management context
• Quantitatively or qualitatively assess
• Treat
• Keep stakeholders informed throughout the process
• Monitor and review risks, risk treatments, obligations and criteriaon an
ongoing basis
PII and PHI
Personally Identifiable Information (PII)
 Personally Identifiable Information (PII) refers to “information
which can be used to distinguish or trace an individual’s
identity”
• The individual’s name
• Social security number
• Biological or personal characteristics (retina scan, fingerprints, voice,
etc)
• Date and place of birth
• Mother’s maiden name
• Credit card numbers
• Bank account numbers
• Driver license number
• Address information (email addresses, street address, tel. number, etc)
PII and PHI
Protected Health Information (PHI)
 HIPPA requires health care organizations to adopt certain
security regulations for protecting health information such as:
• Individual’s name (patient’s name)
• All dates directly linked to individual (dob, death, discharge, admission)
• Telephone and fax numbers
• Email address and geographic subdivisions
• Medical record numbers and healthcare beneficiary numbers
• Certificate numbers or account numbers
• Social security numbers
• Driver license number
• Biometric identifiers
• Any unique number based code or characteristics
• The individuals past, present and future physical or mental health or
condition
PLP & SOD
Principle of Least Privilege & SOD
 Principle of Least Privilege
• It states that all users - whether they are individual contributors,
managers, directors, or executives – should be granted only the level of
privilege they need to do their job, no more no less
• Somewhat related to this principle is the concept of “need to know”
which means that users should get access only to data and systems that
they need to do their job and no other
 Separation of Duties
• This is an administrative control that dictates that a single individual
should not perform all critical- or privilege-level duties
SOC
Security Operation Centers
 SOCs are facilities where an organization’s assets, are
monitored. They are created to address the followings:
• How can you detect a compromise in a timely manner?
• How do you triage a compromise to determine severity and scope?
• What is the impact of the compromise to your business?
• Who is responsible for detecting and mitigating a compromise?
• Who should be informed/involved, when to deal with the compromise?
• How and when should you communicate compromise (in)externally?
 Following are needed to build an effective SOC
• Executive sponsorship
• SOC operating as a program
• Applicable processes & procedure A governance structure
• Effective team collaboration Budget
• Access to data and systems Team skill set and experience
SOC
Runbook Automation
 A runbook is a collection of procedures and operations
performed by system administrators, security professionals or
network operators.
 Runbook automation can help enhance IT operations
efficiency
 Here are some metrics for measuring effectiveness:
• Mean time to repair (MTTR)
• Mean time between failures (MTBF)
• Mean time to discover a security incident
• Mean time to contain or mitigate a security incident
• Automating the provisioning of IT resource
Forensics
Forensics
 Forensics is the process of using scientific knowledge for
collecting, analyzing and presenting evidence to the courts.
 Cyber forensics goals are to find out what happened and to
collect data in a manner that is acceptable to the court
 Devices of interest include:
• Computers (servers, desktop machines, and so on)
• Smartphones
• Tablets
• Network infrastructure devices
• Network management systems
• Printers
• Vehicle GPSs
Forensics
Chain of Custody
 Chain of custody is the way you document and preserve
evidence from the time investigation started till evidence is
presented in court
 Clear documentation of the following should be shown:
• How the evidence was collected
• When it was collected
• How it was transported
• How it was tracked
• How it was stored
• Who had access to the evidence and how it was accessed
 Evidence preservation is needed to maintain its integrity:
• Work with a copy of the evidence
• Write protect storage device
Forensics
Reverse Engineering
 Reverse engineering is the methodology for acquiring
architectural information about anything originally created by
someone else
 It is used to “reverse” cryptographic algorithm as well as
malware analysis
 Threat actors use Digital Rights Management (DRM) reverse
engineering techniques to steal music, movies, books, etc.
 Tools used to perform reverse engineering include:
• System monitoring tools
• Disassemblers
• Debuggers
• Decompilers

Chapter 3 Security Principles

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 3 Security Principles

Uploaded by

Copyright:

Available Formats

Instructor Materials

Cybersecurity Operations - SECFND

You might also like