Professional Documents
Culture Documents
Chapter 3 Security Principles
Chapter 3 Security Principles
Chapter 1: Cybersecurity
and the Security
Operations Center
Cybersecurity Operations
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Chapter 3: Security
Principles
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Chapter 3 - Sections & Objectives
3.1 The Principles of Defense-in-Depth Strategy
3.2 What are Threats, Vulnerabilities and Exploits
3.3 Confidentiality, Integrity and Availability: The CIA Triad
3.4 Risk and Risk Analysis
3.5 Personally Identifiable Information and Protected Health
Information
3.6 Principles of Least Privilege and Separation of Duties
3.7 Security Operation Centers
3.8 Forensics
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
3.1 The Principles of the
Defense in Depth Strategy
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Security Principles
The Principle of Defense in Depth Strategy
A layered or cross boundary is “defense-in-depth” is what is
needed to protect corporate assets
Defense-in-Depth
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Security Principles
The Principle of Defense in Depth Strategy
Sometime Onion diagram can be used to illustrate Defense-
in-Depth concept
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Security Principles
The Principle of Defense in Depth Strategy
Security can also be viewed as Reactive or Proactive
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Threat, Vulnerabilities and Exploits
Vulnerabilities
A vulnerability is an exploitable weakness in a system or its
design
Vulnerabilities can exist in:
• Protocols, operating systems, applications, hardware, and system
design
Some examples of vulnerabilities include:
• SQL injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Cryptographic vulnerabilities
• Buffer overflows
Common Vulnerabilities and Exposure (CVE) is an industry
standard used to identify vulnerabilities.
Mitre maintains the CVE list (http://cve.mitre.org)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Threat, Vulnerabilities and Exploits
Threat
A threat is any potential danger to an asset
A malicious actor takes advantage of a vulnerability
Threat agent or vector is the path used by the actor to attack
A countermeasure is a safeguard that mitigates potential risk
Threat Actors are individuals (or group of individuals) who
perform an attack
• Script kiddies
• Organized crime group
• State sponsors and government
• Hacktivists
• Terrorists groups
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Threat, Vulnerabilities and Exploits
Threat Intelligence
Threat intelligence is referred to as the knowledge about an
existing or emerging threat to assets
It include context, mechanisms, indicators of compromise
(IoCs), implications and actionable advice
Five steps for evaluating threat intelligence sources are:
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Threat, Vulnerabilities and Exploits
Threat Intelligence
Threat intelligence feed examples are
• Cyber Squad Threat Connect
• BAE Detica CyberReveal
• Lockheed Martin Palisade
• MITRE CRITs
• Cisco AMP Threat Grid
Threat intelligence information dissemination standards are:
• Structured Threat Information eXpression (STIX)
• Trusted Automated eXchange of Indicator Information (TAXII)
• Cyber Observable eXpression (CybOX)
• Open Indicator of Compromise (OpenIOC)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Threat, Vulnerabilities and Exploits
Exploits
An exploit is a software or sequence of commands that takes
advantage of a vulnerability in order to cause harm to a
system or network
Exploit can be categorized as
• Remote – can be launched over the network
• Local – require the attacker to have prior access to the vulnerable
system
Exploits are also named by the vulnerability they exploit
Examples of known exploit kits are:
• Angler Blackhole
• Mpack Crimepack
• Fiesta RIG
• Phoenix
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
CIA
Confidentiality, Integrity and Availability
The CIA Traid was created to define security policies
Confidentiality
• This is the property that information is not made available or disclosed to
unauthorized individuals
Integrity
• This is the ability to ensure that a system and its data has not been
altered or compromised
Availability
• Refers that a system or application must be “available” to authorized
users at all times
• A common example of an attack that impacts availability is denial of
service (DOS) attack
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Risk
Risk and Risk Analysis
Cybersecurity Risk can be defined as the possibility of a
security incident (something bad) happening
FFIEC developed the Cybersecurity Assessment Tool that can
be used to evaluate organization. The assessment consist of
two parts
• Inherent Risk Profile and Cybersecurity Maturity
• The International Organization for Standardization (ISO) 27001
ISO Standard recommend a continual process, some iterative:
• Establish the risk management context
• Quantitatively or qualitatively assess
• Treat
• Keep stakeholders informed throughout the process
• Monitor and review risks, risk treatments, obligations and criteriaon an
ongoing basis
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
PII and PHI
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) refers to “information
which can be used to distinguish or trace an individual’s
identity”
• The individual’s name
• Social security number
• Biological or personal characteristics (retina scan, fingerprints, voice,
etc)
• Date and place of birth
• Mother’s maiden name
• Credit card numbers
• Bank account numbers
• Driver license number
• Address information (email addresses, street address, tel. number, etc)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
PII and PHI
Protected Health Information (PHI)
HIPPA requires health care organizations to adopt certain
security regulations for protecting health information such as:
• Individual’s name (patient’s name)
• All dates directly linked to individual (dob, death, discharge, admission)
• Telephone and fax numbers
• Email address and geographic subdivisions
• Medical record numbers and healthcare beneficiary numbers
• Certificate numbers or account numbers
• Social security numbers
• Driver license number
• Biometric identifiers
• Any unique number based code or characteristics
• The individuals past, present and future physical or mental health or
condition
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
PLP & SOD
Principle of Least Privilege & SOD
Principle of Least Privilege
• It states that all users - whether they are individual contributors,
managers, directors, or executives – should be granted only the level of
privilege they need to do their job, no more no less
• Somewhat related to this principle is the concept of “need to know”
which means that users should get access only to data and systems that
they need to do their job and no other
Separation of Duties
• This is an administrative control that dictates that a single individual
should not perform all critical- or privilege-level duties
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
SOC
Security Operation Centers
SOCs are facilities where an organization’s assets, are
monitored. They are created to address the followings:
• How can you detect a compromise in a timely manner?
• How do you triage a compromise to determine severity and scope?
• What is the impact of the compromise to your business?
• Who is responsible for detecting and mitigating a compromise?
• Who should be informed/involved, when to deal with the compromise?
• How and when should you communicate compromise (in)externally?
Following are needed to build an effective SOC
• Executive sponsorship
• SOC operating as a program
• Applicable processes & procedure A governance structure
• Effective team collaboration Budget
• Access to data and systems Team skill set and experience
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
SOC
Runbook Automation
A runbook is a collection of procedures and operations
performed by system administrators, security professionals or
network operators.
Runbook automation can help enhance IT operations
efficiency
Here are some metrics for measuring effectiveness:
• Mean time to repair (MTTR)
• Mean time between failures (MTBF)
• Mean time to discover a security incident
• Mean time to contain or mitigate a security incident
• Automating the provisioning of IT resource
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Forensics
Forensics
Forensics is the process of using scientific knowledge for
collecting, analyzing and presenting evidence to the courts.
Cyber forensics goals are to find out what happened and to
collect data in a manner that is acceptable to the court
Devices of interest include:
• Computers (servers, desktop machines, and so on)
• Smartphones
• Tablets
• Network infrastructure devices
• Network management systems
• Printers
• Vehicle GPSs
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Forensics
Chain of Custody
Chain of custody is the way you document and preserve
evidence from the time investigation started till evidence is
presented in court
Clear documentation of the following should be shown:
• How the evidence was collected
• When it was collected
• How it was transported
• How it was tracked
• How it was stored
• Who had access to the evidence and how it was accessed
Evidence preservation is needed to maintain its integrity:
• Work with a copy of the evidence
• Write protect storage device
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Forensics
Reverse Engineering
Reverse engineering is the methodology for acquiring
architectural information about anything originally created by
someone else
It is used to “reverse” cryptographic algorithm as well as
malware analysis
Threat actors use Digital Rights Management (DRM) reverse
engineering techniques to steal music, movies, books, etc.
Tools used to perform reverse engineering include:
• System monitoring tools
• Disassemblers
• Debuggers
• Decompilers
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25