Section 1: Security Principles - Concepts of Information Security.

Prepared by Dr. Mohammad Qatawneh

The University of Jordan
KASIT – Department of Computer Science and Cybersecurity

This section discusses the foundational concepts of Information Security (InfoSec)

1. Information
Information is one of the most important organization’s assets. Secure and good
Information improves decision making (‫)تحسين عملية اتخاذ القرار‬, enhances efficiency
and reputation of the organization (‫)تعزز كفاءة وسمعة المنظمة‬.
 In business, there are countless types of information including: customer and
employee information, emails, personal information (credit card, social
security numbers, etc.), charts and graphs, financial reports, etc.

As long as the information is important, it should be protected from unauthorized

access/activities, including inspection ‫المراقبة‬, modification‫ التعديل‬recording ‫التسجيل‬
and any disruption ‫ انقطاع‬or destruction ‫اتالف‬
 The process of destroying data stored on tapes, hard disks and other forms of
electronic media so that it is completely unreadable and cannot be accessed.
 Data disruption is when you lose access to your data.
Conclusion:
 The information is important.
1
  Information needs to be protected from the above unauthorized access.
 How?
 Answer: Information Security is highly needed to protect information from
the above unauthorized access.
 Therefore, you as a security risk manager must know what information
security means and how it protects information from the above unauthorized
access.

2. Information Security
Information Security is mainly concerned with protecting information from the
above unauthorized activities during storing or transmitting from one place to
another by maintaining CIA [Confidentiality, Integrity and Availability] that forms
the basis for the development of any organization's security systems.
Information security is not a responsibility of a dedicated group of professionals in
the company, it is now the responsibility of all employees, especially managers.

CIA Triad

 Confidentiality ‫السرية أو الخصوصية‬: Ensuring that only authorized users or

processes should be able to access specific assets, and who are unauthorized are
prevented from obtaining access.

 Confidentiality can be implemented using security mechanisms such as

Encryption, Access Control List, User Names and Passwords. An access
control list (ACL) is a list of rules that specifies, which users or systems
are granted or denied access to a particular asset (configuration of
firewall).

2
 1. Encryption

Encryption Mechanism
https://www.online-toolz.com/tools/text-encryption-decryption.php

3
Encryption is a two ways function

2. Access Control List (ACL): An access control list (ACL) contains rules that
allow or deny access to certain digital environments. There are two types of
ACLs:
i. Filesystem ACLs: filter access to files and/or directories. Filesystem
ACLs tell operating systems which users can access the system, and
what privileges the users are allowed. [Right click on a file – properties
– security – HP desktop- edit to change the permission).

ii. Networking ACLs: filter access to the network. Networking ACLs tell
routers and switches which type of traffic can access the network, and
which activity is allowed.

4
 Router Configuration

Firewall Configuration

3. User Names and Passwords: Passwords provide the first line of defense
against unauthorized access to your computer and personal information .

5
Confidentiality is hard to balance, therefore, data must be classified because not
all data have the same level of importance. Therefore, Data classification can
improve CIA.
 There are two terms related to data of information security: PII and PHI.
PII - Personally Identification Information (name, address, social security
number, Tel number, email address, etc.) so using such data we can
identify the owner of any collected data such as the previous.
 PHI - Protected/Personal Health Information such as medical history, test
and lab results, insurance information.

 Integrity: Ensuring that data has not been tampered with, and therefore, can be
trusted. Integrity can be achieved using Hash function such as Sha256, where
the hash size for the Sha256 is 256 bits. Backup and digital digest can also be
used to achieve integrity.
1. Hash Function: For example: sha256: The hash size for the SHA256
algorithm is 256 bits: https://emn178.github.io/online-tools/sha256.html

6
 Hash is a one way function

2. The backup must be available to restore any corrupted data

3. Digital digest.
 Availability: Ensuring that networks, systems, and applications are up and
running, and authorized users have timely, reliable access to resources when they
are needed (Data, applications, and systems must be accessible when needed by
users).

 Data availability is achieved through redundancy involving where the

data is stored and how it can be reached. Data redundancy refers to the

7
 practice of keeping data in two or more places within a database or data
storage system.

Bank account explains CIA

Conclusion:
 You as a security risk manage must ensure that these elements (CIA)
are met.
 In spite of the fact that the use of the CIA triad to define security
objectives is well established, some in the security field feel that
additional concepts have to be added because CIA is not sufficient.
3. The additional concepts that are needed
o Authentication ‫ المصادقة‬Ensuring (verifying) that users are who they say they
are and that each input arriving at the system came from a trusted source.

 Authentication can be achieved using tokens (are something you have)

such as password and bank card with chip or biometrics (are somethings
you are) such as fingerprints, Voice and iris scans.
 There are two types of authentications: Single-factor authentication
(SFA) using for example password or email address. The second type is
Multi-factor authentication (MFA) using password and then send me an id

8
to my mobile number to enter it again. Or using fingerprint and mobile
number.

9
o Authorization/ Access control ‫ التفويض‬ensuring that a user, once authenticated,
is only able to access information to which he or she has been granted
permission by the owner of the information.
 This can be accomplished at the operating-system level using file
system access controls, or at the network level using access controls
on routers or firewalls.

o Audit capability ‫ القدرة على المراجعة‬ensuring that activity and transactions on a

system or network can be monitored and logged in order to maintain system
availability and detect unauthorized use.

 This process can take various forms: logging by the operating

system, logging by a network device such as a router or firewall, or
logging by an intrusion detection system (IDS) or packet-capture
device.

o Nonrepudiation ‫عدم االنكار‬Ensuring that a person initiating a transaction is

authenticated sufficiently such that he or she cannot reasonably deny that they
were the initiating party.
 Public key cryptography is often used to support this effort. Or can
be achieved by sending a message to him or here and let him sign
the form and return it. After withdrawing from the ATM, a message
was receive.

o Privacy: The right of an individual to control and distribution of information

about themselves.

10
‫ الالئحة العامة لحماية البيانات تشريع اساسي صدر من االتحاد االروبي يتعلق بكل من االشخاص‬GDPR
.‫و المنظمات التي تعمل داخل االتحاد االروبي‬
Conclusion:
 Information security is important.
 CIA is achieved
 Additional concepts are also well established.
 But when talking about small, medium or big organizations,
organization’s Security Plan is highly needed to present a
complete secure image about the organization and society
(Company reputation, economic security, social security, education
reputation).
 You as a security risk manage must know what does security plan
mean?

11
 4. Security Plan

Goal of the security plan:

 Avoid or reduce risk of assets being lost, damaged, etc.
 Minimize losses.
 Insure against the results of a risk event.

Successful organizations should have a security plan that comprise multiple

security tiers/levels like physical security, personal security, operations security,
network security, communications security and cyber security; without them,
Information security is considerably more difficult, if not impossible, to initiate.
Security Tiers/Levels
1. Physical Security ‫ األمن المادي‬- The protection of building sites and equipment
from theft ‫السرقة‬, vandalism ‫التخريب‬, natural disaster ‫الكوارث الطبيعية‬, man-made
‫التلف من صنع اإلنسان‬, catastrophe‫ الكوارث‬, and accidental damage ‫األضرار العرضية‬.

 Physical Security can be achieved by using: Locks, Cameras,

Safeguard, Fire sensors, Motion sensors, Alarm systems, and Security
guards.
 An organization needs to establish physical security plan.
 When we are trying to build up the physical security plan for an
organization, data center, etc. we have to consider three essential
elements:

12
2. Personal Security ‫األمن الشخصي‬: is the continuing steps you can take to protect
your accounts and devices from cyber threats.
 The principles of personal security are:
 Preparation.
 Detection.
 Delay.
 Defense.

13
  Personal security can be achieved by: education (do not use sticky
notes to save your passwords, user names), Ask for help, Security guards
receive training as part of their jobs. , training the employees, etc.

3. Operations Security- is a security and risk management process that prevents

sensitive information from getting into the wrong hands (details of an
organization's operations and activities). In section 3 we will explain in more
details.

4. Communications Security- involves defenses against the interception of

communication transmissions. [Via encryption and decryption techniques].

4.1. Network Security- A subset of communications security and

cybersecurity; the protection of voice and data networking components,
connections, and content. Can be achieved using firewalls, DMZ, ACL,
Intrusion Detection Systems, and Intrusion Prevention Systems.

4.2. Cyber Security - Cybersecurity is the ability to protect or defend the use
of cyberspace from cyber-attacks (the practice of protecting systems,
networks and programs from digital attacks), where the Cyberspace is the
environment of the Internet (users/people, computers and computer
networks on the Internet.

14
Conclusion: You as a Security Consultant, Security Administrator,
Security Engineer, or Security Architect are responsible for installing,
administering and troubleshooting an organization's security
solutions:
 CIA1: Confidentiality, Integrity and Availability.
 Additional concepts2: Authentication, Authorization,
Privacy, Non-repudiation and Audit capability.
 Security plan3: Physical, personal, operations and
communications.
‫أنت كمستشار أمني أو مسؤول أمان أو مهندس أمان أو مهندس أمان مسؤول عن تثبيت حلول األمان الخاصة‬
.‫بالمؤسسة وإدارتها والتدخل الكتشاف األخطاء وإصالحها‬

5. Committee on National Security Systems (CNSS) Security Model

Introduction: CNSS (Committee on National Security Systems is a three-

dimensional security model which has now become a standard security model for
many of the currently operating information systems. CNSS serves as the standard
for understanding many aspects of InfoSec. In other words, CNSS is used to design
or review any InfoSec program.

The CNSS model has three key goals of security: Confidentiality, Integrity, and
Availability. This comprises one dimension (Y axis). Policy, education, and
technology comprises another dimension. Finally, storage, processing, and
transmission comprises (X axis).

15
If you extend the relationship among the three dimensions that are represented by
the axes in the above figure, you end up with a 3 x 3 x 3 cube with 27 cells as shown
in the next figure. Each cell represents an area of intersection among these three
dimensions, which must be addressed to secure information.

16
17
For example, the cell representing the intersection of the technology,
integrity, and storage criteria could include controls or safeguards
addressing the use of technology to protect the integrity of information
while in storage.
The main purposes/objectives of CNSS model are:
1. A security model precisely describes important aspects of security
and their relationship to systems.
2. Provides the necessary level of understanding for a successful
implementation of key security requirements.
3. CNSS model examines each of the component combinations and
answer how you would address them in the organization.
4. Help you to set security countermeasures.
5. Help you to identify gaps in the coverage of an InfoSec program.

18
Explanation of 27 cells

1. Confidentiality-Policy and Storage: in this process, the

University has certain policies and guidelines for an
enrolled student and staff. All the relevant data associated
is kept confidential only accessible to authorized personnel
only, and a secure storage solution is provided by the
University to safeguard its and student’s data.

2. Confidentiality-Policy and Processing: in this process, an

authorized person is appointed to process data whenever
required. That person must maintain the confidentiality of
data and work according to university policies. The
example here I can put is, I am submitting this assignment
electronically to my lecturer only.

3. Confidentiality-Policy and Transmission: in this process

only keeping data confidential and personal working under
policies is not enough as a secure medium is required for
transmission of that data when a user requests to access.
The university is required to use all necessary measures to
secure a transmission.

19
4. Confidentiality-Education and Storage: only a student
enrolled subject should get the subject materials of the
enrolled subject. That is the use of educational data and
storage of material should be kept confidential for the
actual students not all.

5. Confidentiality-Education and Processing: the lecturer

needs to update slides or educational materials constantly
updates any new materials and sent to the subject enrolled
students.

6. Confidentiality-Education and transmission: Data and

information related to the subject be kept secure by
applying a range of measures like only enrolled students
attend classes as card swap will only open lecture room
doors.

7. Confidentiality-Technology and Storage: the use of a

database system to store and transfer data to only students
that are to use.

8. Confidentiality-Technology and Processing: Advance

processing system as the speed of text collect data and store
in the university database. This method maintains

20
 confidentiality as the system automatically integrates data
from one to another form.

9. Confidentiality-Technology and Transmission: The use of

optical fiber to transfer data between terminals decreases
chances of data being stolen, corrupt, similarly using
cryptography in transmission ensures secure data.

10. Integrity-Policy and Storage: Data to be uploaded in

the electronic format, lecturer and university personal
should check the files for corrupted or damaged. The policy
to upload files should be maintained.

11. Integrity-policy and processing: processing should be

done by a person that is aware of university policies and is
knowledgeable enough not to do mistakes in data while
processing.

12. Integrity-Policy and Transmission: The correct

electronic data is accessible to students at a time using
wired or wireless methods.

21
13. Integrity-Education and Storage: The lecture provides
up-to-date data on the university database for students to
use it without any mistakes on the information they get.

14. Integrity-Education and processing: Educational data

and material while processing should not be altered an d
checked before finalizing upload to the system.

15. Integrity-Education-Transmission: only the accurate

and useful data be uploaded to the student database as no
incorrect data lead to a problem in university.

16. Integrity-Technology and Storage: The Subject

materials related to a particular subject is stored in the
university database system after being checked and verified
as correct and useful to students.

17. Integrity-Technology and Processing: Some system

or software is used to check uploading data for its
authenticity.

18. Integrity-Technology and transmission: the data on the

university network should be correct and be available only
after finalizing its integrity of use.

22
19. Availability-Policy and Storage: The university
students should get the data any ti me from the university
database. The data should comply with all the rules and
policies set by the university.

20. Availability-Policy and Processing: The data on the

university system should be allowed to be edited by a
responsible person whenever some issues are found on
available data.

21. Availability-Policy and Transmission: change in data

by the lecturer on their subject should be immediately
available to use by students and should not violate any rules
and policies.

22. Availability-Education and Storage: Material stored in

the university database needs to be updated and ready to use
by a student at any moment.

23. Availability-Education and Processing: If any changes

are to be made in lecture slides or any data. Authorized
personnel needs to access it and ready to be used.

24. Availability-Education and Transmission: always

ready to use data should be in the system so that students
can utilize and download whenever they require.

23
25. Availability-Technology and Storage: All necessary
documents related to student store in the university
database system after being checked and verified as correct,
so the student can utilize and download flawlessly .

26. Availability-Technology and Processing: The data on

the university system should be available to be edited by a
responsible person whenever an issue is found on available
data.

27. Availability-Technology and Transmission: All

necessary documents need to be accessible to students and
lecturers to download or modify based on p rivileges at any
time they want.

QUIZ

24
The End of Section 1

25
 Information Technology Security Policy

1. What is a Security Policy?

An IT security policy is a document that explains the rules and overall

approach that an organization uses to protect its IT resources by maintain
the confidentiality, integrity, and availability.
2. Why Security Policy is important?

Security policies may seem like just another layer of bureaucracy, but
in truth, they are an important component in any information security
plan. Some of the benefits of a well-designed and implemented security
policy include:
1. Guides the implementation of technical controls.
‫ارشادات لتنفيذ الضوابط الفنية‬
A security policy explains the intentions and expectations of senior
management in regard to security. It’s then up to the security or IT
teams to translate these intentions into specific technical actions.

For example, a policy might state that only authorized users should be
granted access to proprietary company information. The specific
authentication systems and access control rules used to implement this
policy can change over time, but the general intent remains the same.

2. Helps meet managerial and compliance requirements.

‫يساعد على تلبية المتطلبات اإلدارية واالمتثال‬

Without a security policy, each employee or user will be left to his or

her own judgment in deciding what’s appropriate and what’s not. This
 can lead to disaster when different employees apply different
standards.

Example:
 Is it appropriate to use a company device for personal use?
 Can a manager share passwords with their direct reports for the
aim of convenience?
 What about installing unapproved software?
Without clear policies, different employees might answer these questions
in different ways. A security policy should also clearly explain how
compliance is monitored and enforced ‫كيفية مراقبة االمتثال وفرضه‬.

3. Improves organizational efficiency and helps meet business

objectives.
 A good security policy can enhance an organization’s
efficiency.
 Security policy avoid duplication of effort.
 Provide consistency in monitoring and enforcing compliance.
 Security policies should also provide clear guidance for when
policy exceptions are granted, and by whom.

3. Three Types of Security Policies

1. Specific guidance on certain issue ‫إرشادات محددة بشأن قضية معينة‬

Provide guidance on certain issues relevant to an organization’s

workforce. Common examples could include : a network security
policy, social media policy, or remote work policy.
 ‫ يمكن أن تتضمن‬.‫تقديم إرشادات حول بعض القضايا ذات الصلة بالقوى العاملة في المؤسسة‬
.‫سياسة أمان الشبكة أو سياسة الوسائط االجتماعية أو سياسة العمل عن بُعد‬

2. Strategic, high-level Scheme ‫مخطط استراتيجي رفيع المستوى‬

 High-level schemes that guide an organization’s

information security plan.
 Schemes explain the purpose and scope of the plan.
 Define roles and responsibilities and compliance
mechanisms.

3. Focus on particular systems ‫التركيز على أنظمة معينة‬

Focusing on a particular type of system, such as a firewall or web server,

or even an individual computer.

4. Elements of Security Policy.

1. Clear objectives.
2. Clear definitions of important terms.
3. Realistic and enforceable policies.
4. Up-to-date information.
5. Cyber Security Policy Template
Cyber Security Policy Template
1. Introduction.

The risk of data theft, scams, and security breaches can have a harmful
impact on an organization's [organization name] systems, technology
infrastructure, and reputation.

As a result, [organization name] has created this policy to help outline the
security measures put in place to ensure systems and other IT resources
remains secure and protected.
2. The Purpose of this policy is to:
 Protect [organization name] data, systems, and infrastructure.
 Outline the protocols and guidelines that govern cyber security
measures.
 Define the rules for company and personal use.
 List the company's disciplinary process for policy violations.
3. Scope.
This policy applies to all of [organization name's] remote workers,
permanent, and part-time employees, contractors, volunteers, suppliers,
interns, and/or any individuals with access to the company's electronic
systems, information, software, and/or hardware.

4. Rules
Confidential Data.
[Company name] defines "confidential data" as:

 Unreleased and classified financial information.

 Customer, supplier, and shareholder information.
 Customer leads and sales-related data.
 Patents, business processes, and/or new technologies.
 Employees' passwords, assignments, and personal information.
 Company contracts and legal records.
 Students’ passwords.
 Students’ records.
 Etc.
5. List of Policies
1 Email Policy: The purpose of this policy is to establish rules for the use of
the company email for sending, receiving, or storing of electronic mail.

2 Firewall Policy: This policy governs how the firewalls will filter Internet
traffic to mitigate the risks and losses associated with security threats to the
company’s network and information systems.
3 E-Commerce Policy: This e-commerce policy is to be used as both a
guideline and an overview in the management of the company’s electronic
services.
4 Clean Desk Policy: The purpose and principle of a “clean desk” policy is
to ensure that confidential data is not exposed to individuals who may pass
through the area such as members, service personnel, and thieves. It
encourages methodical management of one’s workspace. Because of the
risk of being compromised, confidential information should always be
treated with care.

5 Anti-Virus Policy: This policy is established to help prevent infection of

the organization computers, networks, and technology systems from
malware and other malicious code. This policy is intended to help prevent
damage to user applications, data, files, and hardware.
6 Password Policy: The purpose of this policy is to establish a standard for
the creation of strong passwords, the protection of those passwords, and the
frequency of change.
7 Server Security Policy: The purpose of this policy is to define standards
and restrictions for the base configuration of internal server equipment
owned and/or operated by or on the company’s internal network(s) or
related technology resources via any means.
8 Social Media Acceptance Use Policy: The use of external social media
(i.e. Facebook, LinkedIn, Twitter, YouTube, etc.) within organizations for
business purposes is increasing. The organization faces exposure of a
certain amount of information that can be visible to friends of friends from
social media. While this exposure is a key mechanism driving value, it can
also create an inappropriate conduit for information to pass between
personal and business contacts. Tools to establish barriers between
personal and private networks and tools to centrally manage accounts are
 only beginning to emerge. Involvement by the IT Department for security,
privacy, and bandwidth concerns is of utmost importance.
9 Vulnerability Assessment Policy: The purpose of this policy is to
establish standards for periodic vulnerability assessments. This policy
reflects the company’s commitment to identify and implement security
controls, which will keep risks to information system resources at
reasonable and appropriate levels.
10 Website Operation Policy: The purpose of this policy is to establish
guidelines with respect to communication and updates of the company’s
public facing website. Protecting the information on and within the
company website, with the same safety and confidentiality standards
utilized in the transaction of all the company business, is necessary to the
company’s success.
11 Wireless (Wi-Fi) Connectivity Policy: The purpose of this policy is to
secure and protect the information assets owned by the company and to
establish awareness and safe practices for connecting to free and unsecured
Wi-Fi, and that which may be provided by the company.
The company provides computer devices, networks, and other electronic
information systems to meet missions, goals, and initiatives. The company
grants access to these resources as a privilege and must manage them
responsibly to maintain the confidentiality, integrity, and availability of all
information assets.
12 Internet of Things Policy: The purpose of this policy is to establish a
defined IoT structure to ensure that data and operations are properly
secured. IoT devices continue making inroads in the business world;
therefore, it is necessary for the company to have this structure in place.
13 Risk assessment Policy: Periodically assess the security risks in the
normal operation of the system, and scan for vulnerabilities and make fixes
when vulnerabilities are found.

This Information Security Risk Assessment Policy implements and

supports organization's Information Security Policies. The purpose of this
policy statement is to outline the objectives and scope of organization’s
information security risk assessment process.
 Organization is responsible for ensuring the integrity, confidentiality, and
availability of critical information pertaining to the corporation and its
customers, while minimizing the impact of security procedures and policies
upon business productivity.
14 Personal Use Policy

15 Encryption Policy: Outlines the requirement around which encryption

algorithms (e.g. received substantial public review and have been proven
to work effectively) are acceptable for use within the enterprise
16
.
.
.
n
 Recommendations and Details of Security Policies
Policy Details of Security Policy
Name
Password 1- User Passwords
 Passwords for {Organization -Name} network access must be
implemented according to the following guidelines:
 Passwords must be changed every 90 days
 Passwords must adhere to a minimum length of 10 characters.
 Passwords must contain a combination of alpha, numeric, and
special characters, where the computing system permits
(!@#$%^&*_+=?/~’;’,<>|\).
 Passwords must not be easily tied back to the account owner such
as: username, social security number, nickname, relative’s names,
birth date, etc.
 Passwords must not be dictionary words or acronyms.
 Passwords cannot be reused for 1 year.
2- System-Level passwords
 All system-level passwords must adhere to the following
guidelines:
 Passwords must be changed at least every 6 months
 All administrator accounts must have 12 character passwords which
must contain three of the four items: upper case, lower case,
numbers, and special characters.
 Non-expiring passwords must be documented listing the
requirements for those accounts. These accounts need to adhere to
the same standards as administrator accounts.
 Administrators must not circumvent the Password Policy for the
sake of ease of use.
3- Password Protection
• The same password must not be used for multiple accounts.
• Passwords must not be shared with anyone. All passwords are
to be treated as sensitive, confidential {COMPANY-NAME}
information.
• Stored passwords must be encrypted.
• Passwords must not be inserted in e-mail messages or other
forms of electronic communication.
• Passwords must not be revealed over the phone to anyone.
• Passwords must not be revealed on questionnaires or security
forms.
• Users must not hint at the format of a password (for example,
“my family name”).
• {COMPANY-NAME} passwords must not be shared with
anyone, including co-workers, managers, or family members,
while on vacation.
• Passwords must not be written down and stored anywhere in any
office. Passwords must not be stored in a file on a computer
system or mobile device (phone, tablet) without encryption.
 • If the security of an account is in question, the password must
be changed immediately. In the event passwords are found or
discovered, the following steps must be taken:
o Take control of the passwords and protect them
o Report the discovery to IT.

Policy Details of Security Policy

Name
Risk The risk assessment process comprise the following steps:
Assessment Step 1 – Information and data classification.
Step 2 – Threat analysis.
Step 3 – Vulnerability assessment.
Step 4 – Impact analysis.
Step 5– Control evaluation.
Step 6 – Risk determination.
Step 7 – Results documentation.

Policy Details of Security Policy

Name
Personal [Name of Organization] recognizes that employees may be required to
Use use personal devices to access company systems. In these cases,
employees must report this information to management for record-
keeping purposes. To ensure company systems are protected, all
employees are required to:
 Ensure all personal devices used to access company-related
systems are password protected (minimum of 8 characters).
 Install full-featured antivirus software.
 Regularly upgrade antivirus software.
 Lock all devices if left unattended.
 Ensure all devices are protected at all times.
 Always use secure and private networks.

Policy Details of Security Policy

Name
Email Protecting email systems is a high priority as emails can lead to data
theft, scams, and carry malicious software like worms and bugs.
Therefore, [company name] requires all employees to:
  Verify the validity of each email, including the email address and
sender name.
 Avoid opening suspicious emails, attachments, and clicking on
links.
 Look for any significant grammatical errors.
 Avoid clickbait titles and links.
 Contact the IT department regarding any suspicious emails.

Policy Details of Security Policy

Name
Algorithm Requirements
Encryption
Policy  Ciphers in use must meet or exceed the set defined as
"AES-compatible" or "partially AES-compatible"
according to the IETF/IRTF Cipher Catalog, or the set
defined for use in the United States National Institute of
Standards and Technology (NIST) publication FIPS 140-2,
or any superseding documents according to the date of
implementation. The use of the Advanced Encryption
Standard (AES) is strongly recommended for symmetric
encryption.
 Algorithms in use must meet the standards defined for use
in NIST publication FIPS 140-2 or any superseding
document, according to date of implementation. The use of
the RSA and Elliptic Curve Cryptography (ECC)
algorithms is strongly recommended for asymmetric
encryption.

Signature Algorithms
Algorithm Key Additional Comment
Length
(min)
ECDSA P-256 Consider RFC6090 to avoid patent
infringement.
RSA 2048 Must use a secure padding scheme. PKCS#7
padding scheme is recommended. Message
hashing required.
 LDWM SHA256 Refer to LDWM Hash-based Signatures
Draft
Hash Function:

References:
1- https://purplesec.us/resources/cyber-security-policy-templates/
2- https://www.sans.org/information-security-policy/

End
 Section 2: Concepts of Security Risk Management.

This section discusses the foundational concepts of security risk

management.

1. Basic Concepts: Threat, Vulnerability, Asset, and Risk (TVAR).

TVAR are the most important concepts that a Security Analyst, Risk
Analyst, or Incident Responder must understand well to help him/her in
managing security solutions and risks that may arise in the organization.

1.1. Threat ‫التهديد‬

The word “threat” is often confused with (or used interchangeably
with) the words “risk” and “vulnerability.” But in cybersecurity, it’s
important to differentiate between threat, vulnerability, and risk.
Threat is a malicious and deliberate attack by an individual or
organization that seeks to damage, steal or destroy an IT asset via
exploiting vulnerability. In general, there are three categories of
threats:
1. Intentional threats:‫ التهديدات المتعمدة‬Things like (see figure below).
They are activities or methods bad actors [hackers] use to
compromise a security or software system.

Below, the common security threats (cybercrime) organizations

face. You should know these types of threats in order to be able to
build a complete security plan (procedures and policies).

1
 Types of Cybersecurity Threats

1.1. Malware ‫البرامج الضارة‬: Malware attacks are the most common cyber
security threats. Malware is defined as malicious software, including
spyware, ransomware, viruses, and worms, which gets installed into the
system when the user clicks a dangerous link or email. Once inside the
system, malware can block access to critical components of the network,
damage the system, and gather confidential information.
Steps that should be taken to prevent Malware:
 Do not click and danger links.
 Do not open a strange or spam emails.
 Educate Users/Employees: Education includes: Keep mobile
applications, OS, Anti-Virus, etc. up to date.
 Never installing mobile apps on a device -- personal or company-
provided -- from a source outside of Apple App Store on iOS or
Google Play Store on Android.
 Organizations should install antispyware or antimalware software
on every company-supplied computer or phone.
 Use a layered defense. There is a greater chance to successfully
defend against spyware if antispyware and antimalware are
combined with a firewall and an endpoint detection and response
system.

 Create practical and effective email security policies.

 Conduct spam and content filtering for inbound email.
2
  Harden all systems: Assignment= what is System Hardening?
Is a collection of tools, techniques, and best practices to reduce
vulnerability in technology applications, systems,
infrastructure, firmware and other areas?
Application hardening.
OS hardening
Server hardening.
Database hardening
Network hardening
Endpoint hardening
1.2. Phishing :‫ التصيد االحتيالي‬Phishing is a cybersecurity attack in which a target
or targets are contacted by email (attachments, links), telephone or text
message by someone posing as a legitimate institution to lure (attract)
individuals into providing sensitive data such as personally identifiable
information, banking and credit card details, and password. Steps that
should be taken to prevent Phishing:
 To protect against spam mails, spam filters can be used.
 If the URL of the website doesn’t start with “https”, or you cannot
see a closed padlock icon next to the URL, do not enter any sensitive
information or download files from that site. Site’s without security
certificates may not be intended for phishing scams, but it’s better
to be safe than sorry.
 Rotate passwords regularly.
 Install firewall.
1.3. Spear Phishing : ‫ الخاص‬- ‫ التصيد االحتيالي‬: Spear phishing is a more
sophisticated form of a phishing attack in which attackers/cybercriminals
target only "privileged users" such as system administrators and C-suite
executives (Chief suite executive ‫) المدراء التنفيذيين باإلدارة العليا‬
1.4. Man in the middle attack: An attack in which an attacker is positioned
between two communicating parties in order to intercept and/or alter data
traveling between them. Via Wireshark, Cain and Abel tool to crack
passwords. Targets: IT service providers, financial companies,
Government entities, etc.

3
Steps that should be taken to prevent:
 Use a VPN (virtual private network) when connecting online. A VPN
encrypts the data you send online. This encryption stops the MITM attack
from infiltrating your network traffic.
 Secure connections: A secure internet connection is your first line of
defense. To that end, only visit websites with a secure HTTP connection
using SSL (Secure Socket Layer) technology. The additional SSL protection
prevents MITM attacks. These sites are easily identified since the URL starts
with “https://,” and not http://.
 Endpoint security: strong endpoint security software to protect against these
threats. The best security software, such as Kaspersky Endpoint Security,
checks potentially dangerous websites and emails to help you avoid falling
victim to a cyberattack.
1.5. Denial of Service Attack (DOS) :‫ حجب الخدمة‬Denial of Service attacks aims
at flooding systems, networks, or servers with massive traffic, thereby
making the system unable to fulfill/perform legitimate requests.
1.5.1. Attacks can also use several infected devices to launch an attack on the
target system. This is known as a Distributed Denial of Service (DDoS)
attack. Attackers typically use a botnet to cause a DDoS. A botnet is a
linked network of malware-infected computers, mobile devices, and IoT
gadgets under the attacker's control. Hackers use these "zombie" devices
to send excessive numbers of requests to a target website or server's IP
address.

4
5
 DDOS
How to deal with DDos?

Improve Network Security: Network security is essential for stopping any

DDoS attack attempt. As an attack only has an impact if a hacker has enough
time to stack up ‫ لتكديس‬requests, the ability to identify a DDoS early on is
necessary to prevent this attack by using Firewalls and intrusion detection
systems that act as traffic-scanning bulkhead between networks. Using Anti-
virus and anti-malware software that detects and removes viruses and
malware.
1.6. SQL Injection: A Structured Query Language (SQL) injection attack
occurs when cybercriminals attempt to access the database by uploading
malicious SQL scripts. Once successful, the malicious actor can view,
change, or delete data stored in the SQL database.
To understand more fully how SQL Injection work, it is important first
to know something about SQL, in more precise about:
1- Logical operators (AND, OR). X=10 and Y=11 are two conditions.
A) If X=10 AND Y=11 are met then run
The code xxxx.
Else ccc
B) If X=10 OR Y=12 (If one or both conditions are met( then run
The code yyyy.
2- To create an account for example in Facebook you need to register
first and enter some data like your name, email, password, Tel

6
 number, country, mail or female, etc. The system needs database to
save the above data and use this data for verification when you want
to access the system in the future [by email and password].
3- The programmer will use PHP to write a script (inside the HTML).
The function of the script is to give commands to DBMS, which in
turn gives commands (manage) to the database. (To deal with
database via database management system DBMS), HTML and
Java script design the site. [There is an important condition in order
to protect the data, the user should not deal with the data] this done
by filtration what the user enter, if the programmer does not success
to filter what the user will enter (in the script), then the user can
access and deal the DBMS and request commends from the
database [this the most dangerous thing if the user can access the
database, because the data base contains the passwords, id credit
card, etc.]
4- Now, any site comprises three things database, DBMS, Front end.
Part 2 SQL MySQL.
SQL is a query programming language which has certain constant and ways.
This certain constant and ways are used by different databases that manages
RDBMS. MySQL is a relational database management system that uses SQL.
SQL is primarily used to query and operate database systems. MySQL allows you
to handle, store, modify and delete data and store data in an organized way.

To understand more fully how SQL Injection work, it is important first

to know something about SQL, in more precise about Logical operators
)AND, OR(, X and Y are two conditions. If X AND Y are met then run
the code xxxx.
If X OR Y (If one or both conditions are met( then run the code
followed by the IF
1.7. Zero-day- Exploit: A 0-day attack occurs when software or hardware
vulnerability is declared, and the cybercriminals exploit the vulnerability
before a solution is implemented.
1.8. Advanced Persistent Threats APT ‫التهديدات المستمرة المتقدمة‬: An advanced
persistent threat occurs when a malicious actor gains unauthorized access
to a system or network and remains undetected for a long time.

7
 1.9. Ransomware ‫الفدية‬: Ransomware is a type of malware attack in which the
attacker locks or encrypts the victim’s data and threatens to publish or
block access to data unless a ransom is paid.
1.10. DNS Attack: A DNS attack is a cyberattack in which cybercriminals
exploit vulnerabilities in the Domain Name System (DNS). The attackers
get benefit from the DNS vulnerabilities to divert site visitors to malicious
pages (DNS Hijacking) and remove data from compromised systems (DNS
Tunneling).

2) Unintentional threats: Unintentional threats are often attributed to human error.

For example:
 Someone might leave the door of the IT servers unlocked.
 Someone might leave sensitive information unmonitored.
 An employee could forget to update the firewall or anti-virus
software.
 System failure over heating in server rooms.
 Accidental human interference- accidental file deletion.
 Current and even former employees may also have unnecessary
access to sensitive data, or simply be unaware of the threats. (Which
is why employee training is so important).

3) Natural threats: While acts of nature (floods, tornadoes, earthquakes, etc.) aren’t
typically associated with cybersecurity, they are unpredictable and have the potential
to damage your assets.

Cyber Threat Actors: In order to respond effectively to a cyberattack, it’s

imperative to know the threat actors and understand their tactics, techniques, and
procedures.

8
1) Nation States ‫الدول‬: Cyber-attacks by a nation can hit harmful impact by
disrupting communications, military activities, and everyday life.

2) Criminal Groups ‫الجماعات اإلجرامية‬

Criminal groups aim to infiltrate ‫ اختراق‬systems or networks for financial gain.
These groups use phishing, spam, spyware, and malware to conduct identity
theft ‫ سرقة الهوية‬, online fraud ‫ االحتيال‬, and system extortion ‫ ابتزاز‬.

3) Hackers ‫قراصنة‬
Hackers explore various cyber techniques to breach defenses and exploit
vulnerabilities in a computer system or network. They are motivated by
personal gain, revenge ‫االنتقام‬, stalking ‫ المطارده‬, financial gain, and political
activism. Hackers develop new types of threats for the thrill of challenge ‫الثارة‬
‫التحدي‬or bragging ‫المفاخرة‬in the hacker community.

4) Terrorist Groups ‫الجماعات اإلرهابية‬

Terrorists conduct cyber-attacks to destroy ‫ لتدمير‬, infiltrate ‫ التسلل‬, or exploit
‫استغالل‬critical infrastructure to threaten national security, compromise military
equipment, disrupt the economy, and cause mass losses.

5) Hacktivists: A hacktivist is somebody who is attempting to achieve a social

or political outcome rather than for financial gain.
They target industries, organizations, or individuals who don’t align with their
political ideas and agenda.

9
 6) Malicious Insiders ‫المطلعون الخبثاء‬

97% of surveyed IT leaders expressed concerns about insider threats in cyber

security. Insiders can include employees, third-party vendors, contractors, or
other business associates who have legitimate access to enterprise assets but
misuse that accesses to steal or destroy information for financial or personal
gain.

7) Corporate Spies ‫جواسيس الشركات‬

Corporate spies conduct industrial or business espionage ‫التجسس‬to either make
a profit or disrupt a competitor’s business by attacking critical infrastructure,
stealing trade secrets, and gaining access.

How to deal with threats?

To protect yourself from cyber threats and to keep that from happening.
1. You need to know what cyber threats exist (previously mentioned).
2. Continuously monitor all data environments and use two-factor
authentication.
3. You should also teach your employees how to recognize phishing
attempts and other tactics cyber criminals use to trick people into
helping them gain access to sensitive data.
Assignment:
1. List the most common threats.
2. Steps that should be taken to prevent such threats.
3. List the potential threats’ consequences.

2. Vulnerability ‫الثغرة او الضعف‬

Vulnerability: Vulnerability refers to a weakness in your hardware, software,
or procedures (organizational flaw ‫ )عيب تنظيمي‬that can be exploited by a threat
to destroy, damage or compromise an asset. (In other words, it’s a gap through
which a bad actor (hacker) can gain access to your assets. Threats exploit
vulnerabilities.

10
Types of vulnerabilities:
1. Web Server Vulnerabilities - The Company’s website has a vulnerability
such as SQL Injection, Security Misconfiguration, Insecure Cryptographic
Storage, Invalidated Redirects and Forwards, Failure to Restrict URL Access.

 Failure to Restrict URL Access means that a normal user has access
to areas on a webpage that should only be accessible to an
administrator, or another user.
 Invalidated Redirects and Forwards: redirect by the owner :
http://www.goodsite.com/link.php?url=http://blog.goodsite.com
But the hacker replaces the link with another link that belongs to him
http://www.goodsite.com/link.php?url=http://blog.attacker.com
 Insecure Cryptographic Storage: Use of old/less-secure algorithm,
transmitting secret data in plain text, improper cryptographic key
management, Missing encryption, etc.
 Security Misconfiguration: OS and firewall misconfigurations (miss
ACL)
2. Network Vulnerabilities: Weak Passwords, Single factor authentication,
Poor Firewall Configuration, Outdated Software Applications.
3. Operating Systems Vulnerabilities: Malware, Denial of Service Attacks.
Solutions: Sandboxing, Operating system virtualization is a form of
sandboxing. Assignment: list several OS vulnerabilities. Windows, android,
Linux vulnerabilities list.
4. Process Vulnerabilities: One of the most common process vulnerabilities is
an authentication weakness, where users, and even IT administrators, use
weak passwords.
5. Human Vulnerabilities: Human vulnerabilities are created by user errors
that can expose networks, hardware, and sensitive data to malicious actor.
This category includes all user errors that can expose hardware, sensitive
data, and networks to cybercriminals. Sticky notes, Common human
vulnerabilities include opening email attachments infected with malware or
forgetting to install software updates on mobile devices.
Assignment: What are the most common Network, OS, Process and Human
vulnerabilities?
11
3. Asset
Organizational assets can be divided into two main types: Tangible and
Intangible. Tangible assets, also known as organizational resources, have physical
forms such as computers, network devices, money, or infrastructure. Intangible
assets, have logical forms, such as a web site, sensitive information and database
systems, science of knowing what to do, relations with clients, abilities and
innovations of the employees. Information assets, are the focus of what security
efforts are attempting to protect by achieving CIA via the application of policy,
education, training and awareness, and technology, whether in storage, processing,
or transmission.

Important step: Gathering a list of an organization’s assets – Inventory of assets

[applications, software, hardware, buildings, Vehicles, Lands, Money, etc.].

1. Gathering a list of organization’s assets

1.1. Tangible Assets
1 Computers such as desktops, laptops, iPads.
2 Servers such as mail servers, print servers, web servers, etc.
3 Network devices such as routers, switches, hubs, firewalls, etc.
4 Electronic devices such as AC machines, generators, UPS
5 Land, Vehicles, Buildings, Inventory.
6 Financial resources.
7 People – Employees or Staff with their skills.
1.2. Intangible Assets
1 Marketing related: Trademarks, trade names, trade dress,
internet domain names.
2 Contract-based: Employment contracts, Servicing contracts, Use
rights (water, electricity)
3 Technology-based: Websites, database, programs, Application
Systems, encryption algorithms, firewalls, Patented technology,
research and development, policies and procedures.
12
 4 Customer-based: Customer lists, customer contracts, customer
credit data, customer information.

4. Risk
Cyber-risk: Cyber-risk is the intersection of Assets, Threats, and Vulnerabilities.

If the organization has security Vulnerability, the chance of its Assets being
Threatened is high, which could potentially lead (risk) to loss, damage or destruction
of an assets. In other words, Asset + Vulnerability + Threat = Risk.

4.1. When does the security risk occur?

Answer: Security risk can be occurred when an organization’s resource system
(Asset) has vulnerabilities, attackers/actors can easily exploit them, the chance of its
Assets being Threatened is high, which could potentially lead (risk) to loss, damage
or destruction of an assets. In other words,
Asset + Vulnerability + Threat = Risk
Keep in mind the following points related to the issue of cyber-risk for any
organization:
1. Cyber-risk is not an IT problem. It’s a whole-business challenge.
2. You should know that small to medium-sized businesses tend to be more
vulnerable to attacks. That’s because few can afford ‫ يتحمل‬a dedicated
IT/security department, making it less likely that there are security procedures
in place.

13
 3. In order for your company to manage cyber-risk effectively, all parts and
levels of your organization need to embrace being a part of the solution.
4. Companies should be aware of their threats and vulnerabilities in order to
identify and respond to all of the risks. Continuously monitor all data
environments and use two-factor authentication.
5. You should also teach your employees how to recognize phishing attempts
and other tactics cyber criminals use to trick people into helping them gain
access to sensitive data.
6. To determine the best way to approach a specific threat, perform regular threat
assessments. Or try penetration testing ‫ اختبار االختراق‬to discover
vulnerabilities.

4.2. Aspects of organization’s security profile

From the above figure and equation we can extract the main four aspects of
organization’s security profile, which will help us to manage such security risks
in order to protect organizations assets. This can be done through what’s called
Security Risk Management.
Table 1: aspects of organization’s security profile
Aspect Questions
Assets What data assets does an organization have?
Where are those assets stored?
How do internal & external users interact, change, or contact
those assets?
In this case, assets can mean something like data in a database or
data store, cloud Software-as-a-Service applications or internal
user portals.
Controls What technologies are in place?
Where are these technologies located?
Are they updated & configured correctly?
Security controls ‫ الظوابط االمنية‬can include encryption
algorithms, firewalls, anti-malware technology, or identity &
access management software ‫برامج إدارة الوصول والهوية‬
Vulnerability Where are the weak points in the IT system?
Where are assets unsecured? ‫أين األصول غير مضمونة؟‬
Are there potential unsecure places that data passes through?
Vulnerabilities are challenging to find, and discovering them can
call for regular vulnerability scanning, annual penetration testing,
14
 or red team exercises. ‫ أو‬، ‫صا منتظ ًما للثغرات‬
ً ‫واكتشافها يمكن أن يتطلب فح‬
‫ أو تمارين الفريق األحمر‬، ‫اختبار اختراق سنوي‬.
Threats What is the modern cybersecurity threat landscape?
‫ما هو المشهد الحديث لتهديدات األمن السيبراني؟‬
Are new threats emerging?
‫هل تظهر تهديدات جديدة؟‬
This aspect (Threats) is often dynamic, and threats can emerge
suddenly without warning. Even long-known threats can still
pose challenges and call for specific security measures.

 According to the aspects of organization’s security profile that should be

addressed to manage security risk. Each company or organization has its own
way of identifying the sources of risks that the company may be exposed to
and the level of these risks that can be accepted by the company or
organization.
 Therefore, to protect assets of an organization from threats and to determine
the best way to deal with such threats and security vulnerabilities, Security
Risk Management process should be an integral part of an organization’s
security processes.

Security and Threat Management?

The InfoSec Institute defines security management within the Certified

Information Systems Security Professional framework with the following
components:
• Security Model. This includes the baseline controls and decision-
making regarding security within an organization based on IT infrastructure,
business goals, and compliance requirements from regulations like HIPAA,
GDPR, or PCI DSS.
• Confidentiality, Integrity, and Availability. In terms of data
management, confidentiality refers to privacy of data, integrity to the
continued stability of that data, and availability to users as needed.

15
• Security Governance. Most organizations of any size should have a
governing body to manage security policies and procedures, headed by a chief
technology officer, a chief information security officer, or a compliance
officer.
• Policies and Procedures. To successfully manage issues, an
organization can and should have comprehensive data governance and
cybersecurity policies to handle plans for configuration changes, upgrades,
employee training, etc.

• Business Continuity. Security is about the ability of a business to

continue operations. This includes the ability to resume operations after
system breaches, mitigate breaches as they happen, and remediate problem
areas as they emerge.
• Risk Management. The cornerstone of risk management, risk is the
measurement of potential security threats in an IT infrastructure against
business and technical goals. The amount of risk a company will take on can
differ between organizations, industries, or even times of year.
• Threat Modeling. A more concrete way of modeling security
requirements and potential vulnerabilities to mitigate those vulnerabilities. It
includes measuring, labeling, and prioritizing threats as need

End of Section 2

16
17
 Section 3: Security Risk Management Process

Part 1: Introduction:

 Organizations depend on information systems to carry out (perform) their

missions and business functions. The success of the missions and business
functions depends on protecting the confidentiality, integrity, availability of
information processed, stored, and transmitted by those systems and the privacy
of individuals.
 The threats to information systems include intentional threats, unintentional
threats and natural threats previously discussed in section 2.
 When successful, attacks on information systems can result in serious or
catastrophic damage to organizational operations and assets, individuals, other
organizations, and the Nation.

 Therefore, it is imperative that organizations remain careful and that senior

executives, leaders, and managers throughout the organization understand their
responsibilities and are accountable for protecting organizational assets and
for managing risk.
Risks are a major concern for companies, whether at the business level or cybersecurity.

 But most companies fail to identify or find solutions to these risks, especially
technological risks, before they occur.

 Therefore, the Department of Information and Cyber Security in any organization

plays a major role in identifying, evaluating and reducing risks. This can be done
by applying Security Risk Management Process.
 There is a close relationship between cyber security and risk management
because cyber security is a part of risk management.

1
 Cyber security refers to the processes, practices, and technologies that a
company uses to protect its assets like programs, devices, and data from damage,
attack, or access by unauthorized individuals.

Definition: Security Risk Management process is the ongoing process of

identifying, analyzing, evaluating, and addressing your organization's security risks.
 Risk management allows managers to balance the operational and economic
costs of protective measures that protect their assets to achieve the organization’s
mission.
 Goal of Risk management: Organizations must design, develop and implement
risk management strategies in order to reduce negative impacts and to provide a
structured, consistent basis for making decisions around risk mitigation options.

Several Security Risk Management Process.

 There are several standards that describe how to conduct an information

security risk assessment such as NIST, ISO 27001 standard, ISO 27005
standard, etc.
 Unfortunately, most organizations start risk assessment after a system or services
has been running for a while. This is a big mistake = this is considered poor
management and planning.

Brief introduction about such standards

1. NIST: National Institute of Standards and Technology.
NIST developed s Risk Management Framework to improve InfoSec. And
strengthen risk management processes. It provides a dynamic and flexible approach
to effectively manage security and privacy risk in diverse environments. This
standard consists of 4 steps as shown in the figure below.
 Prepare for assessment: establishing a context and priorities for
managing security and privacy risk. Identify the purpose of the
assessment. Identify the assumptions associated with the assessment,
etc.

2
  Conduct Assessments: This step comprises five sub phases: Identify
threats sources, Identify Vulnerabilities, Assign likelihood and Impact
and finally determine the risk.
 Maintain Assessment: Assessment is a continuous process. Monitor
risk factors identified in risk assessment.
 Communicate Results: communication with the managers, employees
and report them about the current risk assessment. Share information
with the staff.

2- ISO 27001 standard

ISO 27001 standard

3
3- CMMC - the Cybersecurity Maturity Model Assessment is a new requirement for
all members of the Defense Industrial Base.
4- SOC 2 - developed by the AICPA to provide guidance on the security,
availability, integrity, and privacy of sensitive user information.
5- HIPAA - the Health Insurance Portability and Accountability Act was passed in
the US in 1996 to create standards for electronic health records and to also provide
standards for the security and privacy of sensitive health information.
6- ISO 27005 Standard

ISO 27005 Standard

Conclusion
 Not all risk assessments fit into your organization.
 Unfortunately, most organizations start risk assessment after a system or services
has been running for a while. This is a big mistake = this is considered poor
management and planning.
 There are commonalities between the concepts and terminologies that used to
identify, evaluate and manage the risks among these different standards.
 You may ask, which assessment framework is the best starting point for you?
Answer: There is no one size fits all solution. A smart approach is to use a hybrid
assessment framework -- one that has been customized to meet your organization’s
4
specific business and compliance requirements. Work with your management team
or hire an experienced consulting firm to give you objective advice.

Why do you need risk IT risk assessment?

 IT risk assessment is the foundation of any IT security strategy that allow
managers to understand what1 events can affect the organization in a negative
way and what2 security gaps pose a threat to critical assets (information, etc.),
so manager can make better security decisions and take smarter proactive
measures.
 IT risk assessment helps manager determine the vulnerabilities 3 in IT
environment, assess the likelihood that a risky event will occur4, and rank5
risks based on the risk estimate and the level of impact that it would cause if
it occurs.
 IT risk assessment is required to gain an international accreditation
certificates.

 The two broadest cybersecurity frameworks are the NIST Cybersecurity

Framework and the ISO 27000 standards.
 In all standards the risk management process has two phases: risk assessment,
also known as risk analysis and risk treatment. We will explain these phases in
more detail later.


5
 Part 2: ISO 27005 Security Risk Management Process

 The ISO 27005 risk management

process: it implies a continual
information risk management
process based on five key
components/steps:

1. Context establishment.
2. Risk assessment/Risk analysis.
3. Risk treatment.
4. Risk communication and consultation.
5. Risk monitoring and review.

1. Context Establishment: Preparing for the risk assessment

https://www.ipa.go.jp/files/000078098.pdf
 Context Establishment: this phase, which was not included in previously
(earlier) risk management process descriptions, consists of defining the scope for
the risk management process, defining the organization’s objectives, Select the
basic model, and establishing the risk evaluation criteria. The context comprises
both external elements (regulatory environment, market conditions, and
stakeholder expectations) and internal elements (the organization’s governance,
culture, standards and rules, capabilities, existing contracts, worker expectations,
information systems, etc.).
 In addition to that, the risk management context sets:
 The criteria for how risks are identified.

6
  Who is responsible for risk ownership?
 How risks impact the confidentiality, integrity, and availability of the
information.
 How risk impact and likelihood are calculated.

2. Risk Assessment/Risk Analysis

Definition: Risk assessment is the process of identifying threats and assessing

the likelihood of those threats exploiting some organizational vulnerability, as
well as the potential impact of such an event occurring. Risk assessment is the
process by which risks are identified and assessed/estimated.

Goal of the Risk assessment: The goal of risk assessment is not to eliminate all
risks, but to reduce them by linking risks to business goals, objectives and assets.

Many organizations choose to follow an asset-based risk assessment process

comprising five key stages:

Step #1 Collect the information you need to assess risks.

 Management and employees interview.
 Analyze the systems and infrastructures.
 Review documentations (organization’s objectives, how risk impact and
likelihood are calculated, how risk impact CIA of the data, rules, standards,
etc.).
Step #2 Gathering a list of all valuable organization’s assets that could be damaged
by the threats. Here are just a few examples:
 Servers.

7
  Website.
 Client or customer information.
 Trade/scientific/commercial/industry secrets.
 Customer credit card data.
 Files on a file share.

Important points:
1. Because most organizations have a limited budget for risk assessment, you will
likely have to limit the scope of the project to mission-critical assets (important
assets).
 Accordingly, we need to define the Asset Classification Key (ACK) for
determining the importance of each asset (Asset Value).
 The importance of each asset can be calculated based on one or more
of the following criteria:
i. Asset’s monetary value.
ii. Legal standing.
iii. Importance to the organization.

Asset Classification Key can be as shown in following table.

Suggested Asset Classification Key (ACK)

Critical ‫هام‬ Major‫رئيسي‬ Minor‫ثانوي‬ Asset
3 2 1 Value

Or as follows

Acute Major Significant Minor Insignificant Asset

5 4 3 2 1 Value

Once the Asset Classification Key (ACK) has been approved by management and
formally incorporated into the risk assessment security policy, use it to classify each
asset you identified. We suggest the following assets with the importance (Asset value)
of each one as shown Table 1.

Table 1

8
 Asset Asset value
Servers Critical
Website Critical
Servers Critical
Files on a file share Minor

Note: You can represent the classification key using numbers [critical = 3; major=2;
minor=1].
Step #3 Identify the potential Impact (consequences).
 In other words, we need to determine what harm the organization would
suffer if a given asset were damaged. This is a business concept, the
likelihood (probability) of financial or other business losses. Here are a
few Impact (consequences) you should care about:
1- Legal consequences. If somebody steals data from one of your
databases, even if that data is not particularly valuable, you can incur
legal costs because you failed to comply with the data protection
security requirements of HIPAA, PCI DSS or other compliance.
2- Data loss. Theft of trade secrets (very important information related
to clients, etc.) could cause you to lose business to your competitors.
Theft of customer information could result in loss of trust and customer
attrition.
3- System or application downtime. If a system fails to perform its
primary function, customers may be unable to place orders, employees
may be unable to do their jobs or communicate, and so on.
Question: Based on the organization’s assets that have been suggested in Table 1,
how can the impact or consequences be determined?
Answer: The impact and consequences that will affect the organization's assets
(which may be internal or external) can be identified and gathered by different ways
such as:
 Conducting interviews with employees.
 Risks were observed by employees.
 Brainstorming.
 Expectations, experience, etc.).

9
Suppose the impact or consequences that are identified and gathered by the above
ways are shown in Table 2.
Table 2.
Asset Asset Value Impact
Servers Critical All services (website, mail, etc.) will be
unavailable for at least 3 hours.
Website Critical Website resources will be unavailable.
Servers Critical All services will be unavailable.
Files on a file share Minor Critical data could be lost but almost certainly
could be restored from backup.

#3.1. Now, we need to assign the value of impact of the risk and likelihood
(Probability).
 The value of impact can be assigned/interpreted using two approaches as
shown in below impact assessment key:

Impact assessment key

1 Qualitative Very Weak Weak Medium High Very High
approach
2 Quantitative 1 2 3 4 5
approach
Explanation Happens once Happens Happens Happens less Happens many
every 7 years once once that once in a times during a
every 5 between 2 year, the year and the
years. and 4 services will service will be
years. be unavailable
unavailable
for minutes.

 By the same way, we need to assign the risk likelihood (probability), which
means the probability of a potential risk occurring.

Likelihood assessment key

1 Qualitative Very Weak Medium High Very High
approach week
2 Quantitative 1 2 3 4 5
approach

10
 Explanation Probability Happens Happens Happens less Happens
to happen twice every 3 times that once in a many times
once every 4 years every 4 year, the during a year
6 years years. services will and the service
be will be
unavailable unavailable
for minutes.

Methods for analyzing and prioritizing risks are divided into two parts:

1- Qualitative Risk Analysis ‫التحليل النوعي للمخاطر‬

2- Quantitative Risk Analysis‫التحليل الكمي للمخاطر‬

Note #1: The Impact and likelihood can range from:

1) 1 to 3 for example [weak =1, medium=2, high=3], which means that the
triple matrix will be used to evaluate the risk as we will see later.
 This range can be used when the number of impact/consequences is
small, the probability is too low and the risk is weak or medium.
2) 1 to 5 [very weak =1, weak=2, medium=3, large=4, very large=5], which
means that the Pentagonal matrix will be used to evaluate the risk as we
will see later.

11
  This range can be used when the number of impact/consequences
are large, the probability is medium to high and the risk is medium
or high.
3) 1 to 10 [weak=1, very weak=2… value number 10 =10]. Decimal matrix.
Note #2: We will use the qualitative approach. Because we define these values‫ز‬
Note #3: Quantitative analysis needs very accurate numbers, and this is used to
assess very high risks in countries, security matters (nuclear risks, etc.).
Note #4: You decide which type of matrixes can be used.
Note #5: The estimation of the values of both impact and likelihood depends on
several factors such as: experience of the staff, organization’s history risks, criteria
of previous risk management process, estimation done by related and expert persons,
by analyzing hypotheses and scenarios (it should not be estimated by one person,
but by a team).

The result of step #3.1 for now is shown in Table 3.

Table 3
Asset Asset Impact Impact Likelihood
Value Value/level
Servers Critical All services Very high Very High: Current
(website, mail, etc.) temperature in server room
will be unavailable is 40 C
for at least 3 hours.
Website Critical Website resources Very high Medium: DDOS was
will be unavailable. discovered once in 2 years.
Servers Critical All services will be Very high Low: last flood in the
unavailable. university/factory/country
happened 10 years ago.
Files on a Minor Critical data could Weak Medium: data was lost
file share be lost but almost once in 2 years.
certainly could be
restored from
backup.

Step #3.2 we need to calculate the Risks for the suggested organization’s assets
according the following equation:

12
 Risk = Impact x Likelihood

Figure 2: Risk
Extent: range. Adverse: negative. Likelihood: probability. Impact: damage incurred
by the event.

Table 3: The risks for the suggested organization’s assets

Asset Asset Impact Impact Likelihood Risk
Value Value/level
All services Very high Very High: Current High = 16
Servers Critical (website, mail, etc.) temperature in server Potential
will be unavailable room is 40 C loss
for at least 3 hours. $50000
Website resources Very high Medium: DDOS was High = 8
Website Critical will be unavailable. discovered once in 2 Potential
years. loss $3000
All services will be Very high Low: last flood in the Medium =
Servers Critical unavailable. university/factory/co 4
untry happened 10
years ago.
Critical data could be Weak Medium: data was Weak = 2
Files on a Minor lost but almost lost once in 2 years.
file share certainly could be
restored from
backup.

13
 Figure 2: 5x5 Risk Assessment Matrix
Quantitative Risk Analysis using 5x5 matrix

14
 Rating Level

Step #4 Identify threats and their level [High, Medium, Low]. A threat is anything
that might exploit a vulnerability to breach your security and cause harm to your
assets. Here are a few common types of threats:

15
 Threat Threat Asset Asset Impact Impact Likelihood Risk Financial
level Value Value/leve loss
l
System High Servers All services Very high Very High: Current High = Potential
failure-over Critical (website, mail, temperature in 16 loss
heating in etc.) will be server room is 40 C $50000
server room. unavailable for
at least 3
hours.
Malicious- High Website Website Very high Medium: DDOS High = Potential
SQL Critical resources will was discovered 8 loss
injection, be unavailable. once in 2 years. $3000
DDIS attack.
Natural High Servers All services Very high Low: last flood in the Mediu
disasters- Critical will be university/factory/co m = 4
Flooding. unavailable. untry happened 10
years ago.
Accidental High Files Critical data Weak Medium: data was Low =
human on a Minor could be lost lost once in 2 years. 2
interference- file but almost
deletion file. share certainly could
be restored
from backup.

Step #5 Identify vulnerabilities and asses the likelihood of their exploitation [High,
Medium, Low].
 Identify vulnerabilities and assess the likelihood of their exploitation. A
vulnerability is a weakness that allows some threat to breach your security and
cause hard to an asset. Vulnerabilities can be web server vulnerabilities,
network vulnerabilities, OS vulnerabilities, process vulnerabilities and human
vulnerabilities.
 Vulnerabilities can be identified through vulnerability analysis, audit report,
etc.

16
Vulnerability Threat Threat Asset Asset Impact Impact Likelihood Risk Financial
level Value Value/le loss
vel
Air System High Servers All services Very Very High: Current High Potential
conditioning failure-over Critical (website, mail, etc.) high temperature in = 16 loss
systems is ten heating in will be unavailable server room is 40 C
years old server room. for at least 3
$50000
High hours.
Firewall is Malicious- High Website Website resources Very Medium: DDOS High Potential
configured SQL Critical will be unavailable. high was discovered =8 loss $3000
properly and injection, once in 2 years.
has good DDIS attack.
DDOS
mitigation.
Low
Server room Natural High Servers All services will be Very Low: last flood in Medi
is on the 3rd disasters- Critical unavailable. high the um =
floor. Low Flooding. university/factory/c
ountry happened 10
4
years ago.
Permissions Accidental High Files on Critical data could Weak Medium: data was Low
are human a file Minor be lost but almost lost once in 2 years. =2
configured interference- share certainly could be
properly; IT deletion file. restored from
auditing backup.
software is in
place;
backups are
taken
regularly.
Low

Step #6 Evaluating each risk against predetermined levels of acceptability.

According to the Figure 2 (Quantitative Risk Analysis using 5x5 matrix) in step
#3.2, we can evaluate the risks as follows:

17
  We consider that the risk is acceptable (accepted risk), if the risk value is range
from 1 to 8 (low). The organization can work without any problem.
 We consider that the risk is medium, if the risk value is range from 9 to 15.
Here we start applying security control measures (we will discuss in section
4) until the value of the risk is reduced to a low range [1 -8].
 We consider that the risk is High, if the risk value is range from 16 to 25. Here
we also start applying security control measures (we will discuss in section
4) until the value of the risk is reduced to a low range [1 -8].

Step #7. Prioritizing which risks need to be addressed, and in which order.

 Prioritize the Information Security Risks. For each threat/vulnerability pair,

determine the level of risk to the IT system, based on the following:
1) The likelihood that the threat will exploit the vulnerability.
2) The impact of the threat successfully exploiting the vulnerability.
3) The adequacy of the existing or planned information system security
controls for eliminating or reducing the risk.

Note #: 3x3 risk matrix

18
Important Terms

 Risk Appetite: Risk appetite is the amount or total of risk that an organization
is willing to accept to achieve its objectives.
‫تقبل المخاطر(الرغبة في المخاطر) هو مقدار أو إجمالي المخاطر التي تكون المنظمة على استعداد لقبولها‬
.‫لتحقيق أهدافها‬
 Risk Tolerance: risk tolerance is the level or amount of risk that an
organization can accept per individual risk.
.‫تحمل المخاطر هو مستوى أو مقدار المخاطر التي يمكن أن تقبلها المنظمة لكل خطر فردي‬
Risk Tolerance defines the upper and lower levels that an organization is able to
deal with / absorb, without significantly impacting the achievement of the strategic
objectives.
‫ دون التأثير بشكل‬، ‫ استيعابها‬/ ‫يحدد تحمل المخاطر المستويات العليا والدنيا التي يمكن للمؤسسة التعامل معها‬
.‫كبير على تحقيق األهداف االستراتيجية‬

19
Risk Threshold is the level of risk exposure above which risks are addressed and
below which risks may be accepted. Above threshold/outside risk appetite.
Below threshold/within risk appetite.
‫حد المخاطرة هو مستوى التعرض للمخاطر التي يتم التعامل مع المخاطر أعاله والتي يمكن قبول المخاطر‬
.‫التي تحتها‬

20
‫‪Inherent risk - the total amount of security risks present within an IT ecosystem‬‬
‫‪(group of interconnected information technology resources that can function as a‬‬
‫‪unit), in the absence of cybersecurity controls.‬‬
‫المخاطر الكامنة – الكمية االجمالية للمخاطر األمنية الموجودة داخل نظام إيكولوجي لتكنولوجيا المعلومات‬
‫( مجموعة من موارد تكنولوجيا المعلومات المترابطة التي يمكن أن تعمل كوحدة واحدة) ‪ ،‬في غياب ضوابط‬
‫األمن السيبراني‪.‬‬
‫‪Residual risk - the total amount of security risks present within an IT ecosystem‬‬
‫‪with cybersecurity controls in place.‬‬
‫المخاطر المتبقية ‪ -‬الكمية االجمالية للمخاطر األمنية الموجودة داخل نظام إيكولوجي لتكنولوجيا المعلومات‬
‫مع وجود ضوابط لألمن السيبراني‪.‬‬

‫‪21‬‬
https://www.upguard.com/blog/risk-appetite-calculation-third-party-risk-
management

to calculate risk appetite

3: RISK TREATMENT
A risk treatment plan (RTP) is an essential part of an organization’s InfoSec
program. A solid risk assessment and risk treatment process produce a stable InfoSec
program.
What Is a Risk Treatment Plan?
This is a comprehensive project plan for implementing risk treatment
recommendations. Risk treatment recommendations are a list of safeguards or
processes that may be implemented and operated to reduce the likelihood and/or
impact of inherent risks.

22
Risk treatment involves developing a range of options for mitigating the risk. Then
you’ll assess those options and prepare a plan of attack through your risk treatment
strategy and start implementing controls. The highest-rated risks should be
addressed as a matter of urgency.
There are three standard levels:

High risk: Expected to occur often

Medium risk: Expected to occur occasionally
Low risk: Expected to occur rarely
‫ من المتوقع حدوثه في كثير من األحيان‬:‫مخاطرة عالية‬
‫ من المتوقع حدوثها من حين آلخر‬:‫مخاطرة متوسطة‬
‫ من المتوقع حدوثه بشكل نادر‬:‫مخاطرة منخفضة‬

Impact is the harm that may be suffered when a threat compromises an information
asset. Likelihood is how often the risk event might happen. Impact plus likelihood
equals inherent risk. This little equation establishes the priority for control measures
to treat different risks.

Developing a Risk Treatment Plan

Depending on the type of risk, there are four risk treatment options:

Risk Treatment Options ‫[ خيارات معالجة المخاطر‬how do organizations treat

risks?] Risk treatment options can be divided into 4 options:

23
1- Risk avoidance:‫ تجنب هذا الخطر‬is an approach that eliminates the risk entirely.
Example 1 of risk avoidance, if a company has a website and that website could
be hacked, the company simply closes or cancels that website. Of course, this is
not the best option, but it is one of the solutions that can be used. This option can
be chosen if the consequences of this risk are great for the company.

2- Risk Acceptance ‫القبول بهذا الخطر‬: also known as risk retention Tacking no action
‫عدم اتخاذ أي إجراء‬to reduce the likelihood of a risk occurring. This option can be
chosen if the consequences of this risk are very few or this risk can be tolerated
and does not affect the business of the company [Accept: To acknowledge the
risk but decide that any actions to avoid or mitigate the risk will be too costly or
time-consuming. The benefits don’t exceed the cost ‫]الفوائد ال تتجاوز التكلفة‬.
Example of risk Acceptance.

3- Risk Mitigation ‫ التخفيف من هذا الخطر‬:Taking actions to prevent or reduce ‫اتخاذ‬

‫ إجراءات لمنع أو تقليل احتمالية‬the possibility of a risk event or its impact. Risk
mitigation is one of the most used methods. Example of this risk, as discussed in
example 1, the company tries to raises the level of protection of this site through
the use of certain tools and software or through training the programmers and
administrators of this site or using web application firewall.

4- Transfer: Passing the risk to another party, who will accept the financial impact
of the harm resulting from a risk ‫نقل الخطر إلى طرف آخر يقبل األثر المالي للضرر الناتج عن‬
‫ الخطر‬Example: The programming of the company's website is carried out by
another specialized company that is responsible for all risks related to this site.
24
 [Transfer: To take action(s) by transferring the risk to another entity (e.g., an
insurance company]

4. Risk communication and consultation.

 Communication and consultation. This task helps understand stakeholders’

interests and concerns, to check that the risk management process is focusing on
the right elements, and also helps explain the rationale for decisions and for
particular risk treatment options.

 For each risk recognized in your risk assessment, you need to have a document,
digital or print, that outlines your program.
 First, you’ll specify your chosen risk treatment option (accept, transfer, mitigate,
avoid, etc.). Next, you’ll outline your approach to treat the risk, highlighting any
relationships or interdependencies with other risks. It’s also important to assign
responsibility. Having a designated person accountable for monitoring and
reporting on the progress of the RTP implementation disperses the workload and
keeps everyone on track.

5. Risk monitoring and review

 Monitoring and review: this task consists of measuring risk management

performance against indicators, which are periodically reviewed for
appropriateness. It involves checking for deviations from the risk management
plan, checking whether the risk management framework, policy and plan are still
appropriate, given organizations’ external and internal context, reporting on risk,
progress with the risk management plan and how well the risk management
policy is being followed, and reviewing the effectiveness of the risk management
framework.

How Often Should a Company Conduct Risk Assessments?

There are several ways to conduct security assessments. Broadly speaking, the
following guidelines are a good starting point for measuring risk and security:
25
 Risk Assessment Tests Schedule
Risk Assessment (Full-scale IT
Annually
Evaluations)
Penetration Testing At Least Once Per Year
Vulnerability Scanning Monthly

QUIZ

26
Example: The chance that the company's website will be exposed is 40%, the price
of the website or the profits that come from this site are 100,000 dollars then
according to the equation, the expected value of the loss is $40,000.

Quantitative Risk=== Monitory Risk Example = 40% X $100.000 = $40.000

From the expected value of the loss, which is 40,000 dollars, the company can
determine the methods or controls of protection that can be used to reduce the risks
that may be exposed to the company's site.
The End of Section 3

27
 Section 4: Security Controls ‫ضوابط امن المعلومات‬

Introduction
We understand the process of risk management and how to identify and evaluate
these risks that the company may be exposed to.
 Now the turn comes to determine the methods or controls that we must use to
protect the company's assets. This is not an easy task because the company
has many assets (software and hardware, buildings, staff, reputation, etc.).

 The goal of security controls is to avoid, detect, counteract, or minimize

security risks to physical property, information, computer systems, or other
assets.

 Definition of security controls: Security controls relate to the physical,

technical and administrative mechanisms that acts as a specific safeguards
or countermeasures for an information system to protect the confidentiality,
integrity and availability of information and to meet a set of security
requirements.
‫ الضوابط األمنية هي اآلليات المادية والتقنية واإلدارية التي تستخدم لحماية اصول الشركة و يتم‬
.‫ضمان سرية وسالمة وتوافر النظام ومعلوماته‬
 The implementation of security controls should reduce risk to an acceptable
risk. Security controls include any type of policy, procedure, techniques,
solution, plan, designed to achieve that goal.
 Examples of security controls include Firewall, IDS, IPS, antiviruses,
encryption, etc.
Security Controls can be divided into three types:

1
 Types of Security Controls

1- Physical Security Controls ‫ ضوابط األمن المادي‬: Physical security controls

implemented via a tangible mechanisms such as cameras, gates, locks, entrance,
fences, etc. to protect the organization's assets from unauthorized physical access,
loss, theft and vandalism.

Requirements that must cover by the physical security controls

1. Authorized access to critical places in the organization such as:

 Data center.
 Disaster recovery center.
 Security monitoring system.
 Where sensitive data are stored and processed.
 Network monitoring room.

Who is allowed? & who is not allowed

2. Access and monitoring logs.‫سجالت الدخول و المراقبة‬

2
 3. Secure methods of physical assets destruction that contain sensitive
information such storage media (paper documents, storage media such as hard
drives, etc. by using hard drive shredding, and paper shredding.

2- Technical/Operational Security Controls: Technical security controls include

any measures taken to reduce risk via technological means.
 Common technical security controls include firewalls, intrusion detection
systems (IDS), encryption, anti-virus software, identification and
authentication mechanisms, and data backups.
 Security cameras, for example, are both a technical and a physical control.

 Technical controls can be configuration settings or parameters stored as

data, managed through a software GUI, or they can be a hardware settings
done with switches, routers, etc.
 If the organization has sensitive and important data, and its management
wants to limit access to this data or services to a specific group of
employees or clients and prevent others, this is done through technical
controls. Through settings in a specific device routers or switches, settings
in a particular system.

Types of Technical security controls:

1. Network Security Management: Isolation, logical and physical partitioning
of network using Firewalls, DMZ, etc.
2. Data and Information Protection.
3. Backup and Recovery Management:
 Ability to recover data and systems after exposure to cybersecurity
incidents.
 Conducting a periodic check on effectiveness of restoring backup
copies.
4. Penetration Testing:
 Assessing and testing the effectiveness of security mechanisms in
organization.

3
  Detecting vulnerabilities that may lead to cyber-attack.
5. Email Protection:
 Analyzing and filtering phishing and spam emails using advanced
protection techniques.
 Multifactor authentication for remote access.
6. Vulnerabilities Management:
 Regularly check and discover vulnerabilities.
 Classify the Vulnerabilities according to their severity (impact).
 Address vulnerabilities based on the type of risk.
7. Mobile Device Security, and etc.

4
3- Administrative/Management Controls: Administrative controls define the
human factors of security. It involves all levels of personnel within an
organization and determines which users have access to what resources and
information by such means as:
‫ يشمل جميع مستويات الموظفين داخل المنظمة ويحدد‬.‫تحدد الضوابط اإلدارية العوامل البشرية لألمن‬
:‫المستخدمين الذين يمكنهم الوصول إلى الموارد والمعلومات بوسائل مثل‬

1. Training and awareness.‫التدريب والتوعية‬

2. Disaster preparedness and recovery plans.‫التأهب للكوارث وخطط التعافي‬
3. Personnel recruitment and separation strategies. ‫إستراتيجيات توظيف وفصل‬
‫الموظفين‬
4. Personnel registration and accounting.‫تسجيل الموظفين والمحاسبة‬

It explains the procedures that show how to deal 1between employees, 2between
employees and senior management, 3how to deal with other companies, 4how to deal
with customers. These procedures should be clear, strict and the principle of
punishment/penalty and reward used.

Example of Adm. Controls are Policies and Procedures.

5
Summary:

Preventative: ‫وقائي‬ Detective: ‫كشفي‬ corrective‫تصحيحي‬

Monitoring and Reviewing

 Monthly, every 3 months or yearly.

6
 Vulnerabilities: Web Server, Network, OS, Process (Authentication,
Passwords), Human.
 What technologies are in place?
 Where are these technologies located?
 Are they updated & configured correctly?
 Training.
 Hiring policy.
 Termination policy

7
 Threat Modeling

Definition
Threat modeling is a procedure for enhancing application, system, or business
process security by identifying vulnerabilities before a threat actor can exploit them,
and then defining countermeasures (security controls) to prevent or mitigate the
effects of threats to the asset (systems, applications, data, etc.).
The aim of the threat modeling process is to get a clear picture of various assets of
the organization, the possible threats to these assets, and how and when these threats
can be mitigated. The end product of threat modeling is a robust security system.

Advantages of Threat Modeling:

1. Identify Potential threats and vulnerabilities.
2. Helps IT managers understand the impact of threats
3. Prioritize remediation methods.
4. The threat modeling process helps an organizations document knowable
security threats to an application and make rational decisions about how to
address them. Otherwise, decision-makers could act rashly based on
scant/weak or no supporting evidence.
Therefore, threat modeling is highly needed to help any organization or system to
protect its assets as well as to maintain the productivity and reputation of an
organization.
Threat modeling can be approached in three different ways:
Asset-centric: Take stock of various assets and analyze the vulnerability of each.
Attacker-centric: Think of possible attackers, what asset each would want to attack,
and how.
Software-centric: Focus on the system design, how the data flows between
various layers, and how it is configured.
What are the five main steps in the threat modeling process?
When performing threat modeling, several processes and aspects should be included.
Failing to include one of these components can lead to incomplete models and can
prevent threats from being properly addressed.
Five main steps
1. Apply threat intelligence (gathering information}
This step includes information about types of threats, affected systems, detection
mechanisms, tools and processes used to exploit vulnerabilities, and motivations of
attackers.
Threat intelligence information is often collected by security researchers. It is used
to enrich the understanding of possible threats and to inform responses.
2. Identify Assets

Teams need a real-time inventory of components, and data in use, where those
assets are located, and what security measures are in use. This inventory helps
security teams track assets with known vulnerabilities.

3. Identify mitigation capabilities

Mitigation capabilities generally refer to technology to protect, detect, and respond
to a certain type of threat, but can also refer to an organization’s security expertise
and abilities, and their processes.

4. Assess risks
Risk assessments correlate (tie in) threat intelligence with asset inventories and
current vulnerability profiles. These tools are necessary for teams to understand the
current status of their systems and to develop a plan for addressing vulnerabilities.
5. Perform threat mapping
Threat mapping is a process that follows the potential path of threats through your
systems. It is used to model how attackers might move from resource to resource
and helps teams anticipate where defenses can be more effectively layered or
applied.
Top threat modeling methodologies and techniques
When performing threat modeling, there are multiple methodologies you can use.
The right model for your needs depends on what types of threats you are trying to
model and for what purpose.
 STRIDE is a threat model, created by Microsoft engineers, which is meant to
guide the discovery of threats in a system. It is used along with a model of the
target system. This makes it most effective for evaluating individual systems.
STRIDE is an acronym for the types of threats it covers, which are:

Spoofing — a user or program pretends to be another.

Tampering — attackers modify components or code.
Repudiation — threat events are not logged or monitored.
Information disclosure — data is leaked or exposed.
Denial of service (DoS) — services or components are overloaded with traffic to
prevent legitimate use.
Elevation of Privilege — attackers grant themselves additional privileges to gain
greater control over a system.
 VAST: (Visual, Agile, and Simple Threat).
 CVSS (Common Vulnerability Scoring System).


Misconceptions of threat modeling

Penetration testing and code reviews can’t substitute for threat modeling. Penetration
testing and secure code review are two activities that are effective for finding bugs
in code. However, security assessments (e.g., threat modeling) are better at
uncovering design flaws/errors/defects.
The STRIDE Method Via Example - Identifying Security Vulnerabilities

1- https://www.youtube.com/watch?v=qi-WT4ApueA
2- https://www.youtube.com/watch?v=SOQrDrLpo8c ‫في العربي‬
3- https://www.youtube.com/watch?v=Wry2get_RRc
4- https://www.youtube.com/watch?v=fggB70PxhmA
5- https://www.spiceworks.com/it-security/network-security/articles/what-is-
threat-modeling-definition-process-examples-and-best-
practices/#:~:text=Identifying%20an%20encryption%20algorithm%20used,
outdated%20encryption%20algorithm%20like%20MD5.
6- https://www.synopsys.com/glossary/what-is-threat-
modeling.html#:~:text=When%20performed%20correctly%2C%20threat%2
0modeling,about%20how%20to%20address%20them.
7-
 Section 5: Cybersecurity Governance ‫حوكمة األمن السيبراني‬

Outlines

1- Entrance to the Governance

2- Building Cybersecurity Governance Program
3- Governance Metrics ‫قياس الحوكمه‬
4- International Standards & Certificates.

1. Entrance to the Governance ‫المدخل لحوكمة االمن السيبراني‬

1.1. What is Cyber security Governance?

Definition 1: Cyber security governance is a process for overseeing the

cybersecurity teams who are responsible for mitigating business risks.

‫حوكمة األمن السيبراني هي عملية تشرف على فرق (مجموعات) األمن السيبراني المسؤولة عن التخفيف‬
.‫من مخاطر األعمال‬
Definition 2: The process of how an organization is managed, usually includes all
aspects of how decisions are made for that organization, such as policies, roles, and
procedures the organization uses to make those decisions in order to achieve the
organization’s goals.

‫ مثل‬، ‫ عادة ما تتضمن جميع جوانب كيفية اتخاذ القرارات لتلك المنظمة‬، ‫عملية كيفية إدارة المنظمة‬
.‫السياسات واألدوار واإلجراءات التي تستخدمها المنظمة التخاذ تلك القرارات‬
Main Points:

 Governance includes all the procedures, standards, regulations, and policies

that are needed to help us (the owner, the administrator of the organization) to
achieve the organization’s objectives, minimize the risk, eliminate
vulnerabilities, monitor all technical, operational and administrative activities.
 The role of each person in the organization‫ز‬

1
  The governance of banks may be different from the governance of hospitals,
oil and gas sector, etc.
 No one governance fits all organizations.
 Governance is associated with Compliance and Risk. [GCR]


1.2. Why We Need Governance? What is the need of Cybersecurity

Governance?

1.To handle Infrastructure Complexity of the organization: Many

organizations deal with multiple systems and data, the question is; who is
the party that determines the important systems and data that should be
protected and given the highest priority by managing risks.

2. Several organizations such as banking institutions increasingly rely on

sophisticated technology to manage customer relations, monitor regulatory
compliance ,‫ مراقبة االمتثال التنظيمي‬and execute core business functions such as
lending.
3. Protect Assets.
4. The organizations have goals that must be achieved, such as profits and a
good reputation.
5. The organizations must also abide/adhere by the laws and regulations
imposed by governments.

Therefore, the organizations require governance that addresses the above reasons
to make sure that:

 We are doing the right things.

 We are doing them the right way.
 We are getting them done well.
 We are getting the benefits.

2
 1.3. What will provide Cybersecurity Governance?

1. Strategic Alignment with business ‫المواءمة االستراتيجية مع األعمال التجارية‬

What does this mean?

 A company XXX has a website that is used for electronic shopping. The
governance must take into account that the company's goal is to gain
profits, maximize reputation, etc. and for this it must set an appropriate
standards, policies, and regulations to ensure the achievement of its goals.

 Governance objectives are compatible with the objectives of the

company.
 You need to know the goals of the organization to achieve the strategic
alignment with business.
2. Risk Management: As discussed in section 3.

1.4. How Governance can address the above reasons?

By implementing the following core elements of Governance:

 Regulations.
 Standards.
 Policies.
 Procedures.

Main elements of governance

3
 Regulations1 ‫التشريعات و القوانين‬imposed by governments mainly contribute to the
formulation of Standards2 ‫المعايير‬, and standards help in building policies3
‫السياسات‬, internal laws and policies help in building procedures‫ االجراءات‬4 in every
organization, which called element of governance.

‫ وتساعد المعايير في بناء‬، ‫ ألن اللوائح التي تفرضها الحكومات تساهم بشكل رئيسي في صياغة المعايير‬
.‫ تساعد القوانين والسياسات الداخلية في بناء اإلجراءات في كل منظمة‬، ‫السياسات‬

1. Regulations ‫القوانين و التشريعات‬

Regulations are commonly used in the form of laws, usually from government
(not to be confused with governance) and typically carry financial penalties for
noncompliance. Examples: protect the personal health information, protect
personal information.

2. Standards

4
Examples: IEEE, ISO, NIST

Policies and Procedures

 The cybersecurity department must define the organization’s security policies

and procedures, which includes all controls and requirements needed for
ensuring security.
 The policies and procedures that include security controls and requirements
should be documented and approved by the authority team in the organization.
 Cyber Security department must disseminate policies and procedures to relevant
employees and parties.
 The cyber security department must ensure that cyber security policies and
procedures are implemented by the relevant parties.

 Cybersecurity policies and procedures must be supported by security technical

standards for examples (security technical standards for firewall, databases,
operating systems, etc.).
 Cyber security policies and procedures should be reviewed and updated every
period of time.

5
 3. Policies

Examples: Clean desk policy, Encryption policy to encrypt the company’s data,
HR policies (any new employee, his professional history must be
checked= background check}

6
 4. Procedures

Examples: System Updates= to update or upgrade the server to should follow the
following steps. To implement a new system you should follow a set of steps.
Decommissioning process ‫اتالف االجهزة او االنظمة التي انتهت‬

2. Establishing/ Building the Governance Program.

To establish the governance we need to:

 Interview the stakeholders (clients, administrative, organization’s

departments such as HR, etc.) to know what they need from security
program. IT department needs to protect the high technology that have,
protect assists, etc.
 Develop and implement Policies, Procedures, Regulations, etc.

7
  Monitor and respond the governance program by using some
measurements, see the weakness points, and respond to the plan
(continuous Job, not one time job).

3. Governance Metrics ‫قياس الحوكمه‬

 Resolve all High Risks – Monthly
 Implement SOC Solution ‫ مركز عمليات أمن المعلومات‬: Security Operation
Center (SOC) is a centralized function within an organization employing
people, processes, and technology to continuously monitor and improve an
organization's security case while preventing, detecting, analyzing, and
responding to cybersecurity incidents.

Why do we need SOC: With the increase in cyber-attacks and the need for
centers that follow up all events that occur in the organization, there is a great
need for a monitoring center for security events, which helps to have a complete
view of security events and also helps to detect intrusions and breaches.

‫مع تزايد الهجمات السيبراني واإلحتياج لمراكز لمتابعة جميع األحداث التي تحصل في المنظمة وبشكل‬
‫ يساعد على رؤية كاملة لألحداث‬,‫ تولد إحتياج بشكل كبير لوجود مركز مراقبة لألحداث األمنيه‬, ‫مستمر‬
.‫األمنية وأيضا ً يساعد على كشف التسلل واإلختراقات‬

What are the objectives of SOC?

1- Objectives from a security point of view: ‫اهداف من وجة نظر أمنية‬

 Increased ability and speed of detecting threats.
 Increased ability and speed of response.
 Detect all unauthorized events/accesses.
 Provide centralized way to control and monitor all activities in the
organization.
2- Objectives from a business point of view ‫االهداف من وجهة نظر االعمال‬

8
  Reducing the interrupt of the services provided by the
organization.
 Reducing the impact of the problems or risks on the work.
 Minimize or prevent the leakage ‫ تسريب‬of documents (private or
sensitive documents) as much as possible.

The SOC can perform its function through the following elements:

1) Technology ‫التقنية‬
2) Policy ‫السياسات‬
3) Operation ‫التشغيل‬
4) People ‫االشخاص العاملين‬
5) Treat Intelligence ‫االستخبارات االلكترونية‬

1- Technology

 Technology: like Vulnerability Scanner, Vulnerability Assessment,

External Assessment, Internal assessment, Application programs
assessment, wireless network assessment.
 Log Management ‫ سجالت االحداث‬: IPS/IDS logs, Firewall, and SIEM:
Security Information and event Management.
SIEM:
‫عبارة عن نظام يقوم بتجميع السجالت واالحداث وعرضها لك من أكثر من مصدر بحيث تقوم بعمل تحليل لها‬
‫وإتخاذ اإلجراء المناسب‬

9
Examples of SIEM:
1- IBM Security QRadar

2- Splunk.

10
3- LogRhythm

11
 2- Policy

Log Collect Policy ‫جمع األحداث‬ ‫سياسات‬ -1

Incident Response Policy ‫اإلستجابة للحوادث‬ ‫سياسات‬ -2
Monitoring Policy ‫المراقبة‬ ‫سياسات‬ -3
Vulnerability Management Policy ‫إدارة الثغرات‬ ‫سياسات‬ -4
Shifts Policy ‫الورديات‬ ‫سياسات‬ -5
Report Policy ‫التقارير‬ ‫سياسات‬ -6

3- Operation ‫التشغيل‬

SOC Manager ‫ مدير مركز العمليات‬

System Engineer ‫ مهندس أنظمة‬
SOC Analysts ‫ محللين‬

4- Threat Intelligence ‫اإلستخبارات اإللكترونية‬

Threat Intelligence‫بعض منصات وأدوات الـ‬

 AlienVault OTX
 IBM X-Force Exchange
 Palo Alto Networks AutoFocus
 LogRhythm Threat Lifecycle Management (TLM) Platform
 Maltego
 Shodan

4. International Standards & Certificates.

https://www.youtube.com/watch?v=L67hxMnzebA

minute: 40

12
Quiz

13
14