Material Fcybersecurity Foundation CSFPC V062022A en

Who is CertiProf®?
CertiProf® is an Examination Institute founded in Unites States in 2015. Located in Sunrise, Florida.
Our philosophy is based on the creation of knowledge in community and for this purpose its collaborative
network is made up of:
• CLL's (CertiProf Lifelong Learners) certification candidates are identified as Continuing Learner,
proven their unwavering commitment to lifelong learning, which is vitally important in today's ever-
changing and expanding digitalized world. Regardless of whether they win or fail the exam
• ATP's (Accredited Trainer Partners) universities, training centers and facilitators worldwide make
up our partner network
• Authors (co-creators) are industry experts or practitioners who, with their knowledge, develop
content for the creation of new certifications that respond to the needs of the industry
• Internal Staff: Our distributed team with operations in India, Brazil, Colombia, and The United
States is in charge of overcoming obstacles, finding solutions and delivering exceptional results
Our Accreditations and Affiliations

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
2
Agile Alliance
CertiProf® is a Corporate Member of the Agile

Alliance.
By joining the Agile Alliance corporate program,

we continue empowering individuals by helping
them reach their potential through education.
Every day, we provide more tools and resources
allowing our partners to train professionals
that are looking to improve their professional
development and skills.
https://www.agilealliance.org/organizations/
certiprof/
IT Certification Council - ITCC
CertiProf® is an active Member of ITCC.
The fundamental purpose of the ITCC is to

support the industry and its member companies

by marketing the value of certification, promoting
exam security, encouraging innovation, and
establishing and sharing industry best practices.
Credly
CertiProf® is a Credly partner.
This alliance allows people and companies

certified or accredited with CertiProf® to have a
worldwide distinction through a digital badge.
Credly is the largest repository of badges in the

world and leading technology companies such as
IBM, Microsoft, PMI, Scrum.org, Nokia, Stanford
University, among others issue their badges with
Credly.
3
Badge
https://www.credly.com/org/certiprof/badge/cyber-security-foundation-professional-certificate-
csfpc
Lifelong Learning
Earners with this badge have proven their

unwavering commitment to lifelong learning,
vitally important in today's ever-changing and
expanding digital world. It also identifies the
qualities of an open-minded, disciplined, and
constantly evolving mind, capable of using and
contributing its knowledge to develop a more
equal and better world.
Earning Criteria:
• Be a CertiProf certification candidate

• Be a continuous and focused learner
• Identify with the concept of lifelong learning
• Truly believe and identify with the concept
that knowledge and education can and should
change the world
• Want to boost your professional growth
4
Who should attend to this certification?
• Everyone
• End Users
• Managers
CSFPC™
• Duration: 16 hours
• Language: English/Spanish
• Class Formats:
• Instructor-led
• Self-Study
• Prerequisites:
• None — Entry Level
• Applicable Exams:
• Cyber Security Foundation Professional Certificate
Presentation

Name
Company
Job title
Experience
Expectations
5
Course Methodology
Presentation Videos
Examples
Activities
Cyber Security Program Based on CyBOK

• Cyber Security Foundation CSFPC
Content
• Module 0: NIST - Cybersecurity for Small Business
• Module 1: CyBOK - Cybersecurity Fundamentals
• Module 2: Risk Management
• Module 3: Law / Regulation
• Module 4: Human Factors
• Module 5: Privacy & Online Rights
• Module 6: Malware & Attack Technologies
• Module 7: Adversarial Behaviour
• Module 8: Security Operations & Incident Management
• Module 9: Certification Exam
6
Learning Objectives
• Understand the importance of Cybersecurity

• Understand the key concepts related to Cyber Security
• Understand the concepts related to human, organizational, and regulatory aspects
• Understand the concepts related to Attacks and Defenses
7
8
AGENDA
Module 0: NIST - Cybersecurity for Small Business 16

Cybersecurity for Small Business 17
Cybersecurity for Small Business 17
Cybersecurity Objectives 18
Confidentiality 18
Integrity 19
Availability 19
Small Business, Big Impact 20
Cybersecurity Basics Resources 20
Cybersecurity Threats 21
Phishing Attacks 21
Ransomware 21
Hacking 22
Imposter Scams 22
Environmental Threats 22
Elements of Risk 23
Impact of an Incident 23
What are you protecting? 24
1. Identify Your Business Assets 25

2. Identify the Values of the Assets 25
3. Document the Impact to your Business of Loss/Damage to the Assets 26
4. Identify Likelihood of Loss or Damage to the Asset 27
5. Identify Priorities and Potential Solutions 27
NIST Cybersecurity Framework 29
Cybersecurity Framework Functions 30
Learning Objectives 31
The Framework Core 31
An Excerpt from the Framework Core 32
Identify 32
Sample Identify Activities 33
Protect 33
Sample Protect Activities 34
Detect 34
Sample Detect Activities 35
Respond 35
Sample Respond Activities 36
9
Recover 36
Sample Recover Activities 37
Framework 37
Everyday Tips 38
Resources 38
Module 1: CyBOK – Cyber Security Fundamentals 39
Cyber Security Definition 40
CyBOK Knowledge Areas 41
Deploying CyBOK Knowledge To Address Security Issues 43
Functions Within A Security Management System 45
Principles 45
Crosscutting Themes 47
Cyberspace 50
Module 2: Risk Management & Governance 51
Topics Covered in this Lesson 52
What is Risk? 52
Why is risk assessment and management important? 53
What is cyber risk assessment and management? 55
Risk Governance 55
The Human Factor and Risk Communication 56
Security Culture and Awareness 57
Enacting Security Policy 57
Risk Assessment and Management Principles 59

Element of Risk 59
Risk Assessment and Management Methods 60
Component-driven Cyber Risk Management Frameworks 61
System-driven Cyber Risk Management Methods 61
Risk Assessment and Management In Cyber-physical Systems and Operational Technology 62
Security Metrics 62
What constitutes Good and Bad metrics? 62
Business Continuity 63
ISO/IEC 27035-1:2016 63
NCSC- ISO/IEC 27035 64
Conclusion 64
Module 3: Law and Regulation 65
Introduction 66
Challenges 66
Response 67
Out of Scope 67
10
Introductory Principles of Law and Legal Research 68
“To Prove” Something 68
“Standards” of Proofs 69
Applying Law to Cyberspace and Information Technologies 69
Distinguishing Criminal and Civil Law 70
Jurisdiction 70
A Taxonomy of Jurisdiction 71
Prescriptive Jurisdiction 71
Enforcement Jurisdiction 71
The Data Sovereignty Problem 72
Privacy Laws in General and Electronic Interception 72
State Interception (Lawful Access) 73
Non-state Interception 73
Data Protection 74
The “Players” 74
What is regulated? 75
“Personal Data” vs “PII” 75
Data Protection Highlights 76
Computer Crime 76
Crimes Against Information Systems 77
Recurring Challenges 77
Contract 77

Contract as Means to Encourage Security Behaviours 78
Limits of Influence 78
Relative Influence of Contract Over Security Behaviours 79
Breach of Contract & Remedies 79
Tort 80
Tort Examples 80
Negligence (Fault Based Liability) 81
Product Liability (Strict Liability) 81
Quantum of Loss (QQ) 82
Attributing and Apportioning Liability 82
Intellectual Property 83
Reverse Engineering 83
Internet Intermediaries Shields from Liability and Take-down Procedures 84
Dematerialization of Documents and Electronic Trust Services 84
Legal Challenges Emerge 85
Other Regulatory Matters 85
Public International Law 86
11
State Attribution 86
Limiting Operations 86
Ethics 87
Codes of Conduct 87
Vulnerability Testing and Disclosure 88
Legal Risk Management 88
Module 4: Human Factors 89
Introduction 90
Human Factors 90
Security Has to be Usable 90
Fitting the Task to the Human 91
Human Capabilities and Limitations 91
STM and One-time password (OTPs) 92
General Human Capabilities and Limitations 92
CAPTCHA 92
Goals and Tasks 93
Capabilities and Limitations of the Device 93
Human Error 94
Latent Design Conditions 94
Awareness and Education 94
What usability issues do developers face? 96
Developers are not the Enemy! The Need for Usable Security APIs 96
Usability Smells: An Analysis of Developers’ Struggle With Crypto Libraries 97

Module 5: Privacy & Online Rights 98
Introduction 99
Overview 99
Privacy as Confidentiality 99
What is the problem? 100
What is privacy? 100
Defining Privacy 101
Privacy as… 101
Privacy as Transparency 101
Privacy as Control 101
Limits of Control and Transparency 102
Privacy Threat Landscape 102
Formal Approach to Inference Control 102
Data Confidentiality 103
12
Metadata Confidentiality 106
Privacy as Control 107
Privacy as Transparency 107
Privacy Technologies 107
Privacy Engineering 108
Privacy Evaluation 109
Conclusions 109
Module 6: Malware & Attack Technologiesv 110
Introduction 111
Malware 111
A Taxonomy of Malware 111
Malware Taxonomy: Dimensions 112
Taxonomy: Examples 112
Potentially Unwanted Programs (PUPs) 113
Malicious Activities by Malware 113
The Cyber Kill Chain 114
The Cyber Kill Chain Model 114
Underground Eco-system 115
Action Objectives 115
Malware Analysis 116
Acquiring Malware Data 116
Static Analysis 116

Other Analysis Techniques 117
Analysis Environments 118
Common Environments 118
Safety and Live-Environments 119
Anti-Analysis and Evasion Techniques 119
Malware Detection 120
Evasion and Countermeasures 120
Detection of Malware Attacks 121
ML-based Security Analytics 121
ML-based Malware Detection 122
Evasion of ML-based Malware Detection 122
Concept Drift 123
Malware Response 123
Disrupt Malware Operations 124
Attribution 124
Evasion and Countermeasures 125
Conclusion 125
13
Module 7: Adversarial Behaviour 126
Introduction 127
A Characterization of Adversaries 127
Interpersonal Offenders 128
Cyber-enabled Organized Criminals 128
Cyber-dependent Organized Criminals 128
Hacktivists 129
State Actors 129
The Elements of a Malicious Operation 130
Specialized Services 130
Human Services 131
Payment Methods 131
Models to Understand Malicious Operations 131
Attack Trees : Example of an Attack 132
Cyber Kill Chain 132
Environmental Criminology 133
Attack Attribution 134
Module 8: Security Operations & Incident Management 135
Introduction 136
What is it about? 136
Timeline and Scope 136
Overall MAPE-K loop 137
Components of MAPE-K Monitor-Analyse-Plan-Execute 137

Deployment of SOIM Technologies 138
Architectural Principles Typical Architecture 138
Intrusion Detection and Prevention Systems 139
MONITOR: Data sources 139
Network Data Sources: Possible Detections 140
Application Data Sources 140
System Data Sources 140
Syslog 140
Frequent Data Sources Issues 141
Analysis of Traces 141
From Event to Incident 142
Misuse Detection 142
Anomaly Detection 143
General Intrusion Detection Issues 143
Typical Architecture Security Information and Event Managementures 143
Data Collection in SIEMs 144
14
Alert Correlation 144
Mitigations and Countermeasures Tools and Techniques 145
Intelligence and Analytics 145
Incident Management Lifecycle 146
Conclusion 146
Module 9: Certification Exam 147
Badge 148
Exam Conditions 148
15
Module 0: NIST -
Cybersecurity for Small
Business
Cybersecurity for Small Business
Why Cybersecurity Matters for your Small Business
More
NIST Interagency Report 7621, revision 1
Small Business Information Security: The Fundamentals
Section 1: Background: What is Information Security and Cybersecurity?
https://doi.org/10.6028/NIST.IR.7621r1
Complexity of a Modern Small Business

• Email
• Mobile devices
• Corporate website
• Social media
• Ecommerce systems
• Online banking
• BYOD and office policy
• Network management
• Backup and remote access
17
Cybersecurity Objectives
IALITY More
ENT
NIST Special
ID Publication 800-
CO NF 12, revision 1
INT An Introduction to
EG R
ITY Information
Security section
1.4
B ILITY
VAILA
A
Confidentiality
21
Example:
Criminal steals customers’
usernames, passwords, or
credit card information.

ALITY
D E NTI
CO NFI
Protecting information from unauthorized access and disclosure.
18
Integrity
Example:
Someone alters payroll
information or a proposed
product design.
INT
EG R
ITY
Protecting information from unauthorized modification.
Availability
Example:

Your customers are
unable to access your
online services.
ILITY
ILAB
AVA
Preventing disruption in how information is accessed.
19
Small Business, Big Impact
Why put your already limited resources into preparing for and protecting against
cybersecurity attacks?
Vulnerability Business Costs Reputation
Attackers can see Attacks can be Customers and

small businesses as extremely costly and employees expect and
easy targets. threaten the viability of trust you to keep their
your business. information secure.
Cybersecurity Basics Resources

20
Cybersecurity Threats
• Phishing Attacks
• Ransomware
• Hacking
• Imposter Scams
• Environmental events
Phishing Attacks

• Social engineering attack involving trickery
• Designed to gain access to systems or steal data
• Targeted phishing is “spear phishing”
• Variants include “vishing” – attacks by telephone and “smishing” those using SMS or text
Example:
An email about a delayed shipment causes you to click a link and download malware to your network
Ransomware
• Type of software with malicious intent and a threat to harm your data
• The author or distributor requires a ransom to undo the damage
• No guarantee the ransom payment will work
• Ransom often needs to be paid in cryptocurrency
Example:
WannaCry was one of the most devastating ransomware attacks in history, affecting several hundred
thousand machines and crippling banks, law enforcement agencies, and other infrastructure.
21
Hacking
• Unauthorized access to systems and information

• Website attack such as DDOS
• Access denied to authorized users
• Stolen funds or intellectual property
Example:
Newspaper kiosk’s point-of-sale system was hacked; malware installed. Every customer’s credit card
information was sent to criminals.
Imposter Scams
• Someone “official” calls or emails to report a crisis situation
• They represent the IRS, a bank, the lottery or technical support
• There will be a sense of urgency and a dire penalty or loss if you don’t act
Example:
IRS scams – You receive a phone call claiming to be the IRS, reporting you owe money and need to pay
or else get hit with a fine.
Environmental Threats
• Natural threats such as fire, earthquake, flood can cause harm to computers or disrupt business
access
• Recovery efforts attract scams such as financial fraud
• Downtime can lose customers, clients who can’t wait
Example:
Ellicott City flooding wiped out businesses and their computers.
22
Elements of Risk
• What are the threats?

• What are the vulnerabilities?
• What is the likelihood of a threat exploiting a
vulnerability?
• What would be the impact of this to your
business?
Impact of an Incident
• Damage to information or information systems

• Regulatory fines and penalties / legal fees
• Decreased productivity
• Loss of information critical in running your business
• An adverse reputation or loss of trust from customers
• Damage to your credit and inability to get loans from banks
• Loss of business income
23
What are you protecting?
To practice cybersecurity risk management, you can start with these steps:
1. Identify your business’ assets

2. Identify the value of these assets
3. Document the impact to your business of loss or damage to the assets
4. Identify likelihood of loss or harm
5. Prioritize your mitigation activities accordingly
24
1. Identify Your Business Assets
List the types of information, processes, important people and technology your business relies upon.
Customer info Key employees

Also consider critical
business processes
Banking info Manufacturing Process
like sales and
budgeting.
Proprietary technology
Identify your business assets on the worksheet.

• In column 1 of the worksheet, list the assets Asset
(e.g., information, people, processes, or
technology) that are most important to your
Patient health information
business
• Add more rows, if needed Devices storing patient
information (laptops, server in
closet, mobile devices)

Processing patient claims to
insurance
Receiving payments from

insurance and patients
3rd party email provider
2. Identify the Values of the Assets
• What would happen to my business if this asset was

made public?
Go through each asset type
• What would happen to my business if this asset was
you identified and ask these
damaged or inaccurate?
questions:
• What would happen to my business if I/my customers
couldn’t access this asset?
25
Identify the assets values on the worksheet.
• Pick an asset value scale that works for you Asset Value of the Assets
(e.g., low, medium, high or a numerical range
like 1-5) Patient health
High, due to regulations
information
Devices storing patient

information (laptops,
Medium
server in closet, mobile
devices)
Processing patient
High
claims to insurance
Receiving payments
from insurance and High
patients
3rd party email provider Medium
3. Document the Impact to your Business of Loss/Damage to the Assets

• Consider the impact to your business if each asset were lost, damaged, or reduced in value (e.g.,
intellectual property revealed to competitors)
• This impact may differ from the asset value determined in step 2
• Pick an impact value scale that works for you (e.g., low, medium, high)
• Consider if any business processes have manual backup methods
Impact of loss / Damage
Asset Value of the Assets
to the Assets
Patient health information High, due to regulations High

information (laptops,
Medium High
server in closet, mobile
devices)
Medium (can institute

Processing patient claims
High manual processes
to insurance
temporarily)

High High
3rd party email provider Medium Medium
26
4. Identify Likelihood of Loss or Damage to the Asset
• List the threats to each business asset

• Evaluate the likelihood that the asset may be lost or damaged by the threat(s)
Impact of loss / Damage Likelihood of loss/damage

Asset Value of the assets Threats to the assets
to the assets to the asset
Patient health information High, due to regulations High Hackers, ransomware Medium

information (laptops, Thieves, malware,
Medium High Low
server in closet, mobile phishing
devices)

Processing patient claims
High manual processes Denial of service, hackers Low
to insurance
temporarily)

High High Denial of service, hackers Low
3rd party email provider Medium Medium Phising, malware Medium
5. Identify Priorities and Potential Solutions

• Compare your impact and likelihood scores.
Assets with high impact and/or likelihood Sample Priority
scores should be assigned top priorities Structure
• Identify your priorities
• Identify potential solutions
High: Implement
• Develop a plan, including funding, to implement
immediate resolution.
the solutions
Medium: Schedule a
resolution.
Low: Schedule a
resolution.
27
Risk Matrix
High Medium High High
Medium Low Medium High
Impact Low Low Low Medium
Low Medium High
Likelihood
Prioritize
Prioritize Asset
Asset Protection
Protection
Impact of loss / Damage Likelihood of Prioritization of

Asset Value of the assets Threats to the assets
to the assets loss/damage to the asset protection to the asset
Patient health
High, due to regulations High Hackers, ransomware Medium High
information

information (laptops, Thieves, malware,
Medium High Low Low
server in closet, mobile phishing
devices)

Processing patient claims Denial of service,
High manual processes Low Low
to insurance hackers
temporarily)
Receiving payments from Denial of service,

High High Low Low
insurance and patients hackers
3rd party email provider Medium Medium Phising, malware Medium Medium
28
NIST Cybersecurity Framework
Framework for improving critical infrastructure cybersecurity
For organizations of any

Provides a continuous size, in any sector, whether Has proven useful to a
process for cybersecurity they have a cyber risk variety of audiences
risk management management program
already or not
More
Framework for Improving Critical Infrastructure Cybersecurity version 1.1
29
Cybersecurity Framework
Functions
Learning Objectives
• Fundamental Concepts of Cybersecurity NIST

1.1 (Cybersecurity Framework)
• Introduction to cybersecurity framework.
• Risk management and the cybersecurity
framework
• Implementation of the cybersecurity
framework
• Establish or improve communicative
cybersecurity
• Methodology to protect privacy and civil
liberties
• Self-assessment of cybersecurity risk with the CertiProf® Lead Cybersecurity Professional Certificate – LCSPC™
framework
The Framework Core
Function
Identify

Protect Establishes a Common Language.
• Describes desired outcomes

• Understandable by everyone
Applies to any type of risk management
Detect •
• Defines the entire breadth of cybersecurity
• Spans both prevention and reaction
Respond
Recover
31
An Excerpt from the Framework Core
5 Functions 23 Categories 108 Subcategories 6 Informative References
Identify
Develop organizational understanding to

manage cybersecurity risk to systems, assets,
data, and capabilities.
32
Sample Identify Activities
Business Asset
Environment Management • Identify critical business processes
[ID.BE] [ID.AM] • Document Information flows
• Establish policies for cybersecurity that
includes roles and responsibilities
• Maintain hardware and software inventory
Risk • Identify contracts with external partners
Governance • Identify Risk Management processes
Assessment
[ID.GV]
[ID.RA]
Protect
Develop and implement the appropriate

safeguards to ensure delivery of services.
33
Sample Protect Activities
Information
Protection
Maintenance
Processes and • Manage access to assets and information
[PR.MA] Procedures • Conduct regular backups
Awareness [PR.IP]
and Training • Protect sensitive data
Identity [PR.AT] • Patch operating systems and applications
Management and Data • Create response and recovery plans
Access Control Security
[PR.IP]
• Protect your network
[PR.DS]
Protective • Train your employees
Technology
[PR.PT]
Detect
Develop and implement the appropriate activities

to identify the occurrence of a cybersecurity
event.
34
Sample Detect Activities
Anomalies
and Events
[DE.AE] • Install and update anti-virus and other
malware detection software
• Know what are expected data flows for your
business
• Maintain and monitor logs
Continuous
Monitoring
[DE.CM]
Respond

to take action regarding a detected cybersecurity
event.
35
Sample Respond Activities
Response
Planning
[RS.RP]
• Coordinate with internal and external
stakeholders
• Ensure response plans are tested
• Ensure response plans are updated
Communications
[RS.CO]
Recover

to maintain plans for resilience and to restore any
capabilities or services that were impaired due to

a cybersecurity event.
36
Sample Recover Activities
Recovery
Planning • Manage public relations and company
[RC.RP] reputation
• Communicate with internal and external
stakeholders
• Ensure recovery plans are updated
• Consider cyber insurance
Communications
[RC.CO]
Framework
Information

Protection
Processes and
Procedures
[PR.IP]
Maintenance Communications
Identity [PR.MA] [RS.CO]
Asset Management Anomalies Recovery
Management and Access and Events Planning
[ID.AM] Control [DE.AE] [RC.RP]
[PR.IP] Awareness Response
Governance
and Training Planning
[ID.GV] [PR.AT] [RS.RP]
Risk Protective Continuous
Assessment Technology Communications
Monitoring
[ID.RA] [PR.PT] [RC.CO]
[DE.CM]
Business
Environment Data Security
[ID.BE] [PR.DS]
37
Everyday Tips
• Be careful of email attachments, web links and voice calls from unknown numbers
• Do not click on a link or open an attachment that you were not expecting
• Use separate personal and business computers, mobile devices, and accounts
• Use multi-factor authentication where offered
• Do not download software from an unknown web page
• Never give out your username or password
• Consider using a password management application to store your passwords for you
More
NIST Interagency Report 7621, revision 1
Small Business Information Security:The Fundamentals, section 4
Resources
NIST Small Business Cybersecurity Corner
https://www.nist.gov/itl/smallbusinesscyber
CyberSecure My Business | National Cyber Security Alliance

https://staysafeonline.org/cybersecure-business/
NIST Interagency Report 7621, revision 1 | Small Business Information Security: The Fundamentals
https://doi.org/10.6028/NIST.IR.7621r1
38
Module 1: CyBOK – Cyber
Security Fundamentals
Cyber Security Definition
• Cyber security has become an encompassing term, as our working definition illustrates:
• Definition: Cyber security refers to the protection of information systems (hardware, software
and associated infrastructure), the data on them, and the services they provide, from unauthorized
access, harm or misuse. This includes harm caused intentionally by the operator of the system, or
accidentally, as a result of failing to follow security procedures
UK National Cyber Security Strategy
• A large contributor to the notion of cyber security is Information Security, widely regarded as
comprised of three main elements:
• Definition: Information security. Preservation of confidentiality, integrity and availability of
information. In addition, other properties, such as authenticity, accountability, non-repudiation,
and reliability can also be involved
ISO 27000 Definition

Figure 1.1: The 19 Knowledge Areas (KAs) in the CyBOK Scope
40
CyBOK Knowledge Areas
Human, Organizational, and Regulatory Aspects.
Risk Management & Governance

• Security management systems and organizational security controls, including standards, best
practices, and approaches to risk assessment and mitigation
Law & Regulation

• International and national statutory and regulatory requirements, compliance obligations, and
security ethics, including data protection and developing doctrines on cyber warfare
Human Factors
• Usable security, social & behavioral factors impacting security, security culture and awareness as
well as the impact of security controls on user behaviors
Privacy & Online Rights

• Techniques for protecting personal information, including communications, applications, and
inferences from databases and data processing. It also includes other systems supporting online
rights touching on censorship and circumvention, covertness, electronic elections, and privacy in
payment and identity systems

Attacks and Defenses.
Malware & Attack Technologies

• Technical details of exploits and distributed malicious systems, together with associated discovery
and analysis approaches
Adversarial Behaviors
• The motivations, behaviors, & methods used by attackers, including malware supply chains, attack
vectors, and money transfers
Security Operations & Incident Management

• The configuration, operation and maintenance of secure systems including the detection of and
response to security incidents and the collection and use of threat intelligence
Forensics
• The collection, analysis, & reporting of digital evidence in support of incidents or criminal events
41
Systems Security.
Cryptography
• Core primitives of cryptography as presently practiced & emerging algorithms, techniques for
analysis of these, and the protocols that use them
Operating Systems & Virtualization Security

• Operating systems protection mechanisms, implementing secure abstraction of hardware, and
sharing of resources, including isolation in multiuser systems, secure virtualization, and security in
database systems
Distributed Systems Security

• Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of
secure consensus, time, event systems, peer-to-peer systems, clouds, multitenant data centers, &
distributed ledgers
Authentication, Authorization, & Accountability

• All aspects of identity management and authentication technologies, and architectures and tools to
support authorization and accountability in both isolated and distributed systems
Software and Platform Security.

Software Security
• Known categories of programming errors resulting in security bugs, & techniques for avoiding these
errors—both through coding practice and improved language design—and tools, techniques, and
methods for detection of such errors in existing systems
Web & Mobile Security

• Issues related to web applications and services distributed across devices and frameworks, including
the diverse programming paradigms and protection models
Secure Software Lifecycle

• The application of security software engineering techniques in the whole systems development
lifecycle resulting in software that is secure by default
42
Infrastructure Security.
Network Security
• Security aspects of networking & telecommunication protocols, including the security of routing,
network security elements, and specific cryptographic protocols used for network security
Hardware Security
• Security in the design, implementation, & deployment of general-purpose and specialist hardware,
including trusted computing technologies and sources of randomness
Cyber-Physical Systems Security

• Security challenges in cyber-physical systems, such as the Internet of Things & industrial control
systems, attacker models, safe-secure designs, and security of large-scale infrastructures
Physical Layer & Telecommunications Security

• Security concerns and limitations of the physical layer including aspects of radio frequency encodings
and transmission techniques, unintended radiation, and interference
Deploying CyBOK Knowledge To Address Security Issues

Means and objectives of cyber security.
• Cyber security is often expressed in terms of instituting several controls affecting people, process,
and technology
• Some of these will focus on the prevention of bad outcomes, whereas others are better
approached through det
• Security requires an analysis of vulnerabilities within the system under consideration:
• A (hypothetical) system without vulnerabilities would be impervious to all threats; a highly
vulnerable system placed in totally benign circumstances (no threats) would have no security
incidents, either
43
Failures and Incidents.
• When adversaries achieve their goal (wholly or partially)—when attacks succeed—the collection of
security controls may be said to have failed
• A recurrent theme in security analysis is that it is not sufficient to dene good security controls solely
within a particular abstraction or frame of reference: it is necessary also to consider what may
happen if an adversary chooses to ignore that abstraction or frame
• Mathematical theories of refinement (and software development contracts) explore the relationship
of an ‘abstract’ expression of an algorithm and a more ‘concrete’ version which is implemented: but
security properties proven of the one may not be true of the other
• ‘Black-box testing’ relies on the same notion and, since it cannot possibly test every input, may
easily miss the combination of circumstances which — by accident or design — destroys the
security of the program
• These — and an endless array of other — security problems arise because it is necessary to think
(and design systems) using abstractions
Risks.
• There is no limit in principle to the amount of effort or money that might be expended on security
controls
• In order to balance these with the available resources and the harms and opportunities that might
arise from emerging threats to security, a common over-arching approach to security analysis is a
process of Risk Assessment — and selection of controls, a process of Risk Management

• Any process of risk management, a key calculation relates to expected impact, being calculated from
some estimate of likelihood of events that may lead to impact, and an estimate of the impact arising
from those events. The likelihood has two elements:
1. The presence of vulnerabilities (known or unknown—the latter not always being capable of being
mitigated)
2. The nature of the threat
44
Functions Within A Security Management System
• The functions within a security management system can be grouped into Physical, Personnel,
Information Systems and Incident Management and are a mixture of standard IT system management
functions and those that are specific to cyber security
• Physical security includes physical protection of the system, including access control, asset
management and the handling and protection of data storage media. These aspects are outside
the scope of the CyBOK
• Personnel security is concerned with a wide range of security usability and behavior shaping,
including education and training (see the Human Factors Knowledge Area
• Information system management includes access management (see the Authentication,
Authorization & Accountability (AAA) Knowledge Area and system logging
• Incident management functions are specific to cyber security and include security monitoring,
incident detection and response
Principles
Saltzer and Schroeder Principles. The eight principles they enumerate are as follows:
1. Economy of mechanism. The design of security controls should remain as simple as possible, to
ensure high assurance
2. Fail-safe defaults. Security controls need to dene and enable operations that can positively be

identified as being in accordance with a security policy and reject all others
3. Complete mediation. All operations on all objects in a system should be checked to ensure that they
are in accordance with the security policy
4. Open design. The security of the control must not rely on the secrecy of how it operates, but only on
well specified secrets or passwords
5. Separation of privilege. Security controls that rely on multiple subjects to authorize an operation,
provide higher assurance than those relying on a single subject
6. Least privilege. Subjects and the operations they perform in a system should be performed using
the fewest possible privileges
7. Least common mechanism. It is preferable to minimize sharing of resources and system mechanisms
between different parties
8. Psychological acceptability. The security control should be naturally usable so that users ‘routinely
and automatically’ apply the protection
45
NIST Principles.
• More contemporary principles in systems design are enumerated by NIST. They incorporate and
extend the principles from Saltzer and Schroeder
• They are categorized into three broad families relating to:
• ‘Security Architecture and Design’ (i.e., organization, structure and interfaces)
• ‘Security Capability and Intrinsic Behaviors' (i.e., what the protections are about)
• ‘Life Cycle Security’ (i.e., those related to process and management)
NIST also outlines three key security architecture strategies.

1. The Reference Monitor Concept is an abstract control that is sufficient to enforce the security
properties of a system
2. Defense in Depth describes a security architecture composed on multiple overlapping controls
3. Isolation is a strategy by which different components are physically or logically separated to
minimize interference or information leakage
Latent Design Conditions.

• In the context of cyber security, latent design conditions arise from past decisions about a system
(or systems)
• They often remain hidden (or unconsidered) and only come to the fore when certain events or
settings align
• In the case of cyber-physical systems security vulnerabilities being exposed as they become
connected to other systems or the internet
• The key point to note is that we can no longer just consider information loss as a potential
consequence of cyber security breaches — but must also consider safety implications
The Precautionary Principle

• Precautionary Principle — reflecting on the potential harmful effect of design choices before
technological innovations are put into large-scale deployment — also becomes relevant
• Function creep: as the system evolves over its lifetime and its impact on the society-at-large
must also be considered
46
Crosscutting Themes
Security Economics.
• Economics of information security is a synthesis between computer and social science

• It combines microeconomic theory, and to a lesser extent game theory, with information security
to gain an in-depth understanding of the trade-offs and misaligned incentives in the design and
deployment of technical computer security policies and mechanisms
• Security economics is, therefore, of high relevance across the various attacks and countermeasures
discussed within the different KAs within CyBOK
• It also plays a key role in understanding the cost of security to legitimate users of the system and
to the cybercriminals
• The strength of such a socio-technical approach is its acknowledgement that security is very
much a human problem, and the cost versus benefits trade-offs are key to increasing our
understanding of the decisions of defenders and attackers to respectively secure their systems
or optimize attacks
Verification and Formal Methods
• Verification and validation of software systems entails testing — for consistency, uniform/predicted
behavior, and conformance to specifications

• Formal methods are approaches to modelling and verification based on:
• The use of formal languages
• Logic and mathematics to express system and software specifications
• To model designs of protocols and systems
Formal Modeling (Examples)
• The Bell-LaPadula model provides an abstract model of the rules determining whether a subject
with a certain security clearance should have a particular kind of access to an object with a given
security classification
• The aim of this model is to prevent data declassification; later work generalized this to methods
for preventing certain information flows
• Other access control models have been proposed to achieve other properties, such as integrity (e.g.,
the Biba model, or the Clark-Wilson model)
• Formal methods enable key security properties to be expressed and proven in the formal model
47
Approaches to Formal Modeling. There are two principal approaches to formal modelling:
Computational Modelling:
• This approach is close to the real system:
• It is a formal methodology at a more fundamental mathematical level, where messages are
bitstrings, cryptographic functions are defined as functions on bitstrings, system participants are
generally interactive Turing machines, and security parameters give asymptotic metrics to this
methodology:
• The length of keys, complexity of algorithms or measure of probabilities
• Vary with the security parameter
Symbolic Modelling:
• This approach is more abstract than the computational approach, and has been applied in a variety
of flavors to the modelling and analysis of security protocols
• Sequences of interactions between agents to achieve a security goal such as authentication or
key-exchange
• Logic-based approaches such as the BAN logic
• Language-based approaches such as Applied Pi
Does the combination of symbolic and computational approaches work?
• Verification using the computational modelling approaches have been more mathematical in
nature, though tools such as CryptoVerif and EasyCrypt have now been developed to support
computational proofs
• The symbolic and computational approaches may be used together:
• An attack in a symbolic model will typically give rise to an attack in the computational model, so
it is valuable to carry out a symbolic analysis of a system first in order to check for and design out
any identified attacks
• Once a symbolic model is verified, then some additional is needed to establish security in the
computational model
• This can either be carried out directly, or through the application of general techniques such as
computational soundness which give conditions for symbolic results to apply to the computational
model
48
Security Architecture and Lifecycle
• The word ‘architecture’ is used at all levels of detail within a system;

• High-level design of a system from a security perspective
• The primary security controls are motivated and positioned within the system
• This, in turn, is bound up with an understanding of the systems lifecycle, from conception to
decommissioning. Within this, the secure software lifecycle is crucial
The fundamental design decision is :

• How A system is compartmentalized?
• How users, data, and services are organized to ensure that the highest risk potential interactions
are protected by the simplest and most self-contained security mechanisms?
• These broad consideration of architecture and lifecycle have been captured within the notions of
‘security by design’, and ‘secure by default’
• More generally, consideration of security throughout the lifecycle, including in the default
configuration ‘out of the box’ (although not much software is delivered in boxes these days),
demonstrably leads to less insecurity in deployed systems
49
Cyberspace
Cyberspace is best understood as a ‘place’ in which business is conducted, human communications take
place, art is made and enjoyed, relationships are formed and developed, and so on.
50
Module 2: Risk Management
& Governance
Topics Covered in this Lesson
• What is risk?
• Why is risk assessment and management important?
• What is cyber risk assessment and management?
• Risk governance
• What is risk governance and why is it essential?
• The human factor and risk communication
• Security culture and awareness
• Enacting Security Policy
• Risk assessment and management principles

• Component vs. Systems Perspectives
• Elements of Risk
• Risk assessment and management methods
• Risk assessment and management in cyber-physical systems and
• operational technology
• Security Metrics
• Business continuity: incident response and recovery planning
What is Risk?
• Renn’s working definition of risk is the possibility the human actions or events lead to consequences
that have an impact on what hs value.
• uman
• Grounded in human value, which applies to many different scenarios
• How to define value and capture indicators to measure and manage risk?
1. Outcomes that have impact on what humans value

2. Possibility of occurrence (uncertainty)
3. Formula to combine both elements
• These elements are at the core of most risk assessment methods
52
A key challenge with risk assessment and management is making assumptions explicit and finding the
balance between subjective risk perceptions and objective evidence
• Risk assessment is, therefore, a process of collating observations and perceptions of the world that
can be justified by logical reasoning or comparisons with actual outcomes
• Risk management, on the other hand, is the process of developing and evaluating options to address
the risks in a manner that is agreeable to people whose values may be impacted, bearing in mind
agreement on how to address risk may involve a spectrum of (in)tolerance – from acceptance to
rejection
• Risk Governance is an overarching set of ongoing processes and principles that aims to ensure
an awareness and education of the risks faced when certain actions occur, and to instill a sense of
responsibility and accountability to all involved in managing it
Why is risk assessment and management important?

• Risk assessment involves (3) three core components:
– Identification and, if possible, estimation of hazard (events and strength of outcome)

– Assessment of exposure (aspects open to threat e.g. people, devices, databases) and/or vulnerability
(attributes of aspects that could be targeted e.g. susceptibility to deception, hardware flaws,
software exploits)
– Estimation of risk, combining likelihood and severity (impact of outcomes e.g. quantitative or
qualitative)

• Risk assessment
• Is to use analytic and structured processes to capture information, perceptions and evidence
relating what is at stake, the potential for desirable and undesirable events, and a measure of the
likely outcomes and impact
The risk management process involves reviewing the information collected as part of the risk
assessment, and leads to one of (3) three possible decisions:
1. Intolerable: The aspect of the system at risk needs to be abandoned or replaced, or if not possible,
vulnerabilities need to be reduced and exposure limited.
2. Tolerable: Risks have been reduced with reasonable and appropriate methods to a level as low as
reasonably possible (ALARP) or as low as reasonably allowable (ALARA).
A range of choices may include mitigating, sharing, or transferring risk, selection of which will depend
on the risk managers’ (and more general company) appetite for taking risks.
3. Acceptable: Risk reduction is not necessary and can proceed without intervention. Furthermore,
risk can also be used to pursue opportunities (also known as ‘upside risk’), thus the outcome may be
to accept and embrace the risk rather than reduce it
53
Beyond this decision framework, Renn defines four types of risk that require different risk management
plans. These include:
1. Routine risks: These follow a normal decision-making process for management. Statistics and
relevant data are provided, desirable outcomes and limits of acceptability are defined, and risk
reduction measures are implemented and enforced
2. Complex risks: Where risks are less clear cut, there may be a need to include a broader of evidence
and consider a comparative approach such as cost-benefit analysis or cost-effectiveness. Scientific
dissent such as drug treatment effects or climate change are examples of this
3. Uncertain risks: A precautionary approach should be taken with a continual and managed approach
to system development whereby negative side effects can be contained and rolled-back. Resilience
to uncertain outcomes is key here
4. Ambiguous risks: Where broader stakeholders, such as operational staff or civil society, interpret
risk differently (e.g., different viewpoints exist or lack of agreement on management controls), risk
management needs to address the causes for the differing views
• Management options, therefore, include:
– A risk-based management approach (risk-benefit analysis or comparative options)

– A resilience-based approach (where it is accepted that risk will likely remain but needs to be
contained, e.g. using ALARA/ALARP principles)
– A discourse-based approach (including risk communication and conflict resolution to deal with
ambiguities).
• Without effective consideration of the acceptability of risk and an appropriate risk reduction plan,
it is likely that the response to adverse outcomes will be disorganized, ineffective, and likely lead to
further spreading of undesirable outcomes
• The purpose of risk assessment and management is to communicate these values and ensure
decisions are taken to minimize the risks to an agreed set of values by managing them appropriately
while maximizing ‘buy in’ to the risk management process
• Risk assessment and management is also about presenting information in a transparent,
understandable, and easily interpreted way to different audiences, so that accountable stakeholders
are aware of the risks, how they are being managed, who is responsible for managing them, and are
in agreement on what is the acceptable limit of risk exposure
54
One of the major drivers for risk assessment and management is to demonstrate compliance.
This can be a result of the need:
• To have audited compliance approval from international standards bodies in order to gain commercial
contracts;
• To comply with legal or regulatory demands
• To improve the marketability of a company through perceived improvements in public trust if
certification is obtained
This can sometimes lead to ‘tick-box’ risk assessment

whereby the outcome is less focused on managing
the risk, and more about achieving compliance.
What is cyber risk assessment and management?

Cyber security risk assessment and management is, therefore, a fundamental special case that everyone
living and working within the digital domain should understand and be a participant in it.
Risk Governance
Risk assessment and developing mitigation principles to manage risk are only likely to be

effective where a coordinated and well-communicated governance policy is put in place within
the system being managed.
None are correct or incorrect.

Millstone proposed (3) three governance models:
1. Technocratic: Where policy is directly informed by science and evidence from domain
expertise
2. Decisionistic: Where risk evaluation and policy are developed using inputs beyond science
alone. For instance, incorporating social and economic drivers
3. Transparent (inclusive): Where the context for risk assessment is considered from the outset
with input from science, politics, economics, and civil society. This develops a model of ‘pre-
assessment’ – that includes the views of wider stakeholders – that shapes risk assessment
and subsequent management policy
55
Four (4) elements influence the perception of risk:
1. Intuitive judgment associated with probabilities and damages

2. Contextual factors surrounding the perceived characteristics of the risk (e.g., Familiarity) and the risk
situation (e.g., Personal control)
3. Semantic associations linked to the risk source, people associated with the risk, and circumstances of
the risk-taking situation
4. Trust and credibility of the actors involved in the risk debate
The cyber risk governance approach is key to this cultural adoption
The Human Factor and Risk Communication

• Sasse and Flechais identified human factors that can impact security governance, including people:
1. Having problems using security tools correctly

2. Not understanding the importance of data, software, and systems for their organization
3. Not believing that the assets are at risk (i.e., that they would be attacked)
4. Or not understanding that their behavior puts the system at risk be attacked)
This highlights that risk cannot be mitigated with technology alone, and that concern assessment is
•
important
• Educating people within an organization is vital to ensuring cultural adoption of the principles
defined in the risk management plan and associated security governance policy.
• People fail to follow the required security behavior for one of two reasons (Sasse and Flechais):
1. They are unable to behave as required

2. They do not want to behave in the way
Weirich and Sasse studied compliance with password rules as an example of compliance with security policy and found
that a lack of compliance was associated with people not believing that they were personally at risk and or that they
would be held accountable for failure to follow security rules.
56
Risk communication, therefore, plays an important role in governance including aspects, such as:
• Education: Particularly around risk awareness

• Training and inducement of behavior change: Taking the awareness provided by education and
changing internal practices and processes
• Creation of confidence: Both around organizational risk management and key individuals
• Involvement: Particularly in the risk decision-making process
Security Culture and Awareness

• It is important that people feel able to report issues and concerns, particularly if they think they may be
at fault. Accountability needs to be intrinsically linked to helping the organization, without concern
of being stigmatized and penalized
• If people are aware of the pathways and outcomes following security breaches it will reduce anxiety
about what will happen and, therefore, lead to more open security culture
Some questions that may be considered useful pointers for improving security culture:
Are employees Do security staff

Are employees receiving
acknowledging their members possess
training at intervals
security responsibilities sufficient skills and
consistent with company

as users of information professional
policies?
systems? certifications?
Are security staff

Are security awareness
members acquiring new
and training efforts
skills at rates consistent
leading to measurable
with management
results?
objectives?
Enacting Security Policy

• Presentation of risk assessment information in this context is important. Often heat maps and risk
matrices are used to visualize the risks
• However, research has identified limitations in the concept of combining multiple risk measurements
(such as likelihood and impact) into a single matrix and heat map
• Attention should, therefore, be paid to the purpose of the visualization and the accuracy of the
evidence it represents for the goal of developing security policy decisions
57
Part of the final risk assessment and management outcomes should be a list of accepted risks with
associated owners who have oversight for the organizational goals and assets underpinning the
processes at risk.
Figure 2.1: Risk Governance Framework from IRGC - taken from [66]
Human factors and security culture are fundamental to the enactment of the security policy.
People must be enabled to operate in a secure way and not be the subject of a blame culture when things
fail. It is highly likely that there will be security breaches, but the majority of these will not be intentional.
Therefore, the security policy must be reflective and reactive to issues, responding to the Just Culture
agenda and creating a policy of accountability for learning, and using mistakes to refine the security
policy and underpinning processes – not blame and penalize people.
Security education should be a formal part of all employees’ continual professional development.
Principles of risk communication are an important aspect of the human factor in security education.
Frequent communication, tailoring the message to the audience, pretesting the message, and considering
existing risk perceptions that should be part of the planning around security education.
58
Risk Assessment and Management Principles
• The UK NCSC guidance breaks down risk management into:
1. Component-driven risk management, which focuses on technical components, and the threats and
vulnerabilities they face
2. System-driven risk management, which analyses systems as a whole
Figure 2.2: Jens Rasmussen’s Hierarchy.

Element of Risk
There are four concepts that are core to a risk assessment in most models.
1. Vulnerability: A Vulnerability is something open to attack or misuse that could lead to an undesirable
outcome
2. Threat: A Threat is an individual, event, or action that has the capability to exploit a vulnerability.
Threats are also socio-technical and could include hackers, disgruntled or poorly trained employees,
poorly designed software, a poorly articulated or understood operational process etc
3. Likelihood: Likelihood represents a measure capturing the degree of possibility that a threat will
exploit a vulnerability, and therefore produce an undesirable outcome affecting the values at the
core of the system
4. Impact: Impact is the result of a threat exploiting a vulnerability, which has a negative effect on the
success of the objectives for which we are assessing the risk
59
Risk Assessment and Management Methods
The US Government NIST guidelines capture the vulnerability, threats, likelihood, and impact elements
inside the prepare (pre-assessment), conduct (appraisal and characterize), communicate (cross-
cutting), and maintain (management) cycle.
Prepare involves identifying the purpose (e.g., establishing a baseline of risk or identifying vulnerabilities,
threats, likelihood and impact) and scope (e.g., what parts of a system/organization are to be included in
the risk assessment?; what decisions are the results informing?).
Conduct is the phase where threats, vulnerabilities, likelihood, and impact are identified. There is a
range of ways that this can be conducted, and this will vary depending on the nature of the system
being risk assessed and the results of the prepare stage.
Communicate is one of the most important phases, and one often overlooked. Conducting the risk
assessment gives one the data to be able to inform actions that will improve the security of the system.
Maintain is an ongoing phase that is essential to continually update the risk assessment in the light of
changes to the system environment and configuration.
60
Component-driven Cyber Risk Management Frameworks
• ISO/IEC 27005:2018
• NIST SP800-30/39
• The Information Security Forum (ISF)
• FAIR
• Octave Allegro
• STRIDE
• Attack trees
System-driven Cyber Risk Management Methods

The main objective of these methods is to capture interactions and interdependent aspects of the

•
system and thus requires extensive engagement with process owners and seeking the ‘right’ people
with knowledge of sub-systems
• Systems-Theoretic Accident Model and Process (STAMP) is an ensemble of methods used for
modelling causation of accidents and hazards, developed at MIT
• The Open Group Architectural Framework (TOGAF) is an enterprise architecture standard that
supports component-driven and system-driven approaches to manage risk
• Dependency Modelling. The Open Group also developed the Open Dependency Modelling (O-
DM) Framework for Goal-oriented risk modelling in a top-down method
• SABSA is another architecture-based approach. It includes four phases
61
Risk Assessment and Management In Cyber-physical Systems and Operational
Technology
• While traditional IT security (e.g., computers, devices, and servers) may generally take a risk
assessment perspective focused on minimizing access (confidentiality), modification (integrity), and
downtime (availability) within components and systems, the world of cyber-physical systems and
Operational Technology (OT) typically has a greater focus on safety.
• Technology such as Supervisory Control and Data Acquisition (SCADA) provides capability to
continually monitor and control OT but must be suitably designed to prevent risks from IT impacting
OT
Security Metrics
• It is often difficult to quantify – with confidence – how secure an organization is or could be
• Qualitative representations such as low, medium, high or red, amber, green are typically used in
the absence of trusted quantitative data, but there is often a concern that such values are subjective
and mean different things to different stakeholders
What constitutes Good and Bad metrics?

Good metrics should be:
• Consistently measured, without subjective criteria
• Cheap to gather, preferably in an automated way

• Expressed as a cardinal number or percentage, not with qualitative labels like "high“ "medium", and
"low"
• Expressed using at least one unit of measure, such as "defects", "hours", or "dollars"
• Contextually specific and relevant enough to decision-makers that they can act. If the response to a
metric is a shrug of the shoulders and "so what?", it is not worth gathering
Bad metrics:
• Are inconsistently measured, usually because they rely on subjective judgments that vary from
person to person
• Cannot be gathered cheaply, as is typical of labor-intensive surveys and one-off spreadsheets
• Do not express results with cardinal numbers and units of measure. Instead, they rely on qualitative
high/medium/low ratings, traffic lights, and letter grades
62
Business Continuity
• Incident Response and Recovery Planning
• An essential part of the risk assessment, management and governance process includes
consideration and planning of the process of managing incidents and rapidly responding to cyber
attacks
• The aim is to understand the impact on the system and minimize it, develop and implement a
remediation plan, and use this understanding to improve defenses to better protect against
successful exploitation of vulnerabilities in future (feedback loop)
• Organizations typically prefer to keep information about cyber security breaches anonymous to
prevent reputational damage and cover up lapses in security
• However, it is likely that other organizations, could benefit from prior knowledge of the incident
that occurred
• Certain industries such as the financial and pharmaceutical sectors have arrangements for sharing
such intelligence
ISO/IEC 27035-1:2016
ISO/IEC 27035-1:2016 is an international standard defining principles for incident management. It

expands on the ISO/IEC 27005 model and includes steps for incident response, including:
• Plan and Prepare

• Detection and Reporting
• Assessment and Decision
• Response
• Learning
63
NCSC- ISO/IEC 27035
The NCSC also provides ten (10)steps to help guide the incident management process which, broadly
speaking, relate to the Plan, Detect, Assess, Respond and Learn phases of ISO/IEC 27035. In summary,
the steps include:
1. Establish incident response capability

2. Training
3. Roles
4. Recovery
5. Test
6. Report
7. Gather evidence
8. Develop
9. Awareness
10. Report
Conclusion
• Working definition of the possibility that human actions or events may lead to consequences that have
an impact on what humans' value and placed this in the context of cyber risk management and
governance
• Risk governance is the overarching set of ongoing processes and principles that underpin collective
decision-making and encompasses both risk assessment and management, including consideration
of the legal, social, organizational, and economic contexts in which risk is evaluated
• A major aspect of risk is human perception and tolerance of risk and we have framed these in the extant
literature to argue their significance in risk governance aligned with varying types of risk – routine,
complex, uncertain, and ambiguous
• Risk governance is a cyclical and iterative process, and not something that can be performed once
• The crosscutting aspects of communication, stakeholder engagement and context bind the risk
assessment and management processes and are core to the continual reflection and review of risk
governance practices
• Incidents, when they occur, must inform risk management policy to improve cyber security in the future
– and we must accept that we will likely never be completely secure
• Instilling continual professional development through education and Just Culture where lessons can
be learned, and governance methods improved
64
Regulation
Module 3: Law and
65
Introduction
• Introductory principles of law and legal research

• Jurisdiction
• Privacy laws in general and electronic interception
• Data protection
• Computer crime
• Contract
• Intellectual property
• Internet intermediaries
• Dematerialisation of documents and electronic trust services
• Public international law
• Ethics
Challenges
66
Response
Out of Scope

Subjects that are difficult to generalize globally.
Examples:
• Rules of evidence
• Rules of civil procedure
• Rules of criminal procedure
• Criminal content laws
67
Introductory Principles of Law and Legal Research
Basic Principles
“To Prove” Something

Mathematics Law
• Establish, as a logical necessity, undeniability • Using permissible evidence, persuade a
• Establish a truth beyond dispute tribunal of the correctness of a disputed issue
• Some uncertainty is inevitable
“[Col Jessup ordered the ‘Code Red’?] That's

great! … And of course you have proof of that? …
It doesn't matter what I believe! It only matters
what I can prove [to a jury]!”– LTJG Kaffee, A Few
Good Men (1992).
68
“Standards” of Proofs
Applying Law to Cyberspace and Information Technologies

The birth of cyberspace caused a great deal of anxiety with regard to the application of laws and
regulations to this new domain.
Two prevailing schools of thought emerged.
• The first school posited that cyberspace is so radically different from anything in human experience,
that old laws were unsuitable and should be widely inapplicable to actions taken using this new
domain
• The second school held instead that the Internet is, like so many tools developed in human history,
merely an instrument of human action. As such, laws could–and perhaps should–continue to be
applied to persons who use cyberspace in most respects just as they applied before it existed
69
Distinguishing Criminal and Civil Law
• Criminal law
Criminal law is the body of law that prohibits behavior generally abhorred by society.
Terms such as ’guilty’ and ’innocent’ are normally reserved as descriptions of verdicts (outcomes) in a
criminal case.
• Civil (non-criminal) law
Civil law is the area of law that regulates private relationships among and between persons. Examples
include the laws of contract and negligence.
• One Act: Two types of liability & two courts
A single act or series of connected acts can create liability simultaneously under both criminal and civil
law.
Jurisdiction
Multinational Environment
70
A Taxonomy of Jurisdiction
Prescriptive Jurisdiction
• Extraterritorial
• Lawmakers routinely adopt laws that apply to people and activities outside the territory of their
state

• Various theories adopted by courts to endorse this practice (e.g., effects doctrine)
• Examples include laws that apply to:

• Offshore content visible in-territory
• Offshore hackers who attack in-territory systems
• Offshore data controllers who process personal data related to in-territory data subjects
Enforcement Jurisdiction
• Domestic asset seizure and forfeiture

• Domestic seizure and forfeiture of servers and domain names
• “Location” of a bank account
• Foreign enforcement of domestic civil judgments
• Arrest while present in state
• Extradite from foreign state
• Technological means to filter content geographically
• Orders addressed to domestic persons to produce data (wherever located) under their control
• International legal assistance
71
The Data Sovereignty Problem
Privacy Laws in General and Electronic Interception

Privacy Basics
72
State Interception (Lawful Access)

Non-state Interception
• Legal systems heterogenous
• Restrictions sometimes vary with relationship with target
• Most people usually prohibited from intercepting messages in a public telecommunications service
(see also anti-computer intrusion laws)
• People who operate a private system (employers, etc) are usually given some flexibility to intercept
traffic, subject to a variety of legal rules
73
74
The “Players”
Data Protection
Data protection generally

What is regulated?
“Personal Data” vs “PII”
75
Data Protection Highlights
Computer Crime
Taxonomy of computer crime

76
Crimes Against Information Systems
Recurring Challenges
The enforcement of and penalties for crimes against information systems
• Lack of universality
• Extradition
• De minimis exceptions and measuring harm
• Warranted state interception
• Research and development by non-state persons
• Uninvited remote technical analysis
• Covert threat analysis
Self-help

•
• Software locks
• Hack-back
Contract
77
Contract as Means to Encourage Security Behaviours
Limits of Influence
78
Relative Influence of Contract Over Security Behaviours

Breach of Contract & Remedies
It is also important to consider the legal consequences of breaching a contract.
In the event of a breach of contract, various remedies provided by courts to non-breaching parties
typically fall into the following categories:
• Damages
• Recision
• Declare that the contract is at an end and excuse the non-breaching party from further
performance
• Specific performance
• Contractually mandated remedies
79
Tort
80
Tort Examples
Negligence (Fault Based Liability)

Product Liability (Strict Liability)
81
Quantum of Loss (QQ)
Attributing and Apportioning Liability

82
Intellectual Property
The complexity of intellectual property law prompted a nineteenth-century US jurist to comment that
this subject is closest to ’the metaphysics of law’.
• Negative rights
• Each IP right is a type of “red card” that says stop doing a defined action.
• Owning IP does not guarantee freedom to act
• Short catalogue
• Copyright
• Patents
• Trademarks
• Trade secrets
Reverse Engineering
83
Internet Intermediaries Shields from Liability and Take-down Procedures
Intermediary liability shields.
• Basics
• Shields a qualifying person who would otherwise be liable for offending message content
• Originally designed to shield ISPs and telcos
• Increasingly contentious (e.g., US FOSTA-SESTA)
• Ongoing debate re social media and search platforms
• Take-down / blocking
• As a condition of shield protection, some qualifying persons are required to take down offending
content “expeditiously” after notice from complaining person
• Others not subject to take-down notice may be ordered by state (judiciary or executive) to block
or filter traffic
Dematerialization of Documents and Electronic Trust Services

Background: assuring authenticity and integrity.
84
Legal Challenges Emerge
Other Regulatory Matters
Subject matter regulation.
85
Public International Law
Principles of international law.
State Attribution
• Legal standard (substance)
• Act by a state agent
• State encourages or directs act by a non-agent
• Failure to exercise “due diligence”
• Forensic process (process)

• Gathering and presenting evidence for use when making a legal attribution analysis
Limiting Operations
• Prohibitions
• Violation of sovereignty
• Use of force
• Armed attack
• Counter-measures
• Must be proportional
• Cyber or non-cyber
• Law of armed conflict
• Military necessity
• Humanity
• Distinction
• Proportionality
86
Ethics
The case for codes of conduct
Codes of Conduct

Codes of conduct
87
Vulnerability Testing and Disclosure
Vulnerability testing and

disclosure
Legal Risk Management

When thinking about future operations, consider:
• Identify subject matter areas of greatest risk

• Consider the impact on human life
• Conduct due diligence that is aligned with identified risks
• Consider the practical limits of territorial enforcement jurisdiction
• Consider the relative cost of breaching a (non-criminal) legal obligation.
• Consider the risks to one’s own personal reputation, safety and liberty
• Consider the challenges of collecting, preserving, and presenting evidence
• Consider vicarious liability
• Consider localizing risky activities in separate limited liability legal persons
• Consider changes to the law or enforcement policy that are likely to arise
88
Module 4: Human Factors
89
Introduction
• Usable security
• Fitting the task to the human
• Human error
• Cyber security awareness and education
• Positive Security
• Stakeholder engagement
Human Factors
• Less that 0.1 °/o of email is end-to-end encrypted!
• Users are not the Enemy!
Fit the human to the task

Fit the task to the human
• A. Whitten and J. D. Tygar, "Why johnny can't encrypt: A usability evaluation of pgp 5.0." in USENIX
Security Symposium, vol. 348, 1999.
• A. Adams and M. A. Sasse, "Users are not the enemy," Communications of the ACM, vol. 42, no. 12,
pp. 40-46, 1999.
Security Has to be Usable
• Effectiveness: Can users achieve their goals?

• Efficiency: What resources are expended to do
so?
• Satisfaction: What is the level of comfort and
acceptability far users?
90
Fitting the Task to the Human
Key elements :
1. The capabilities and limitations of the target users

2. The goals those users have, and the tasks they carry out to achieve them
3. The physical and social context of use
4. The capabilities and limitations of the device on which the security mechanism is used
Human Capabilities and Limitations
There are general capabilities and limitations– physical and mental– that apply to most humans.
Alarm Fatigue Short Term Strength Meters CAPTCHA

Memory(STM)

and Long Term
Memory (LTM)
• With general computing devices today, the physical capability that can be exceeded by security
tasks is most likely the ability to detect signals: many security systems provide status messages,
reminders, or warnings
• Humans can only focus their attention primarily on one task at any one time
VS.
Compliance Fatigue
91
STM and One-time password (OTPs)
STM and One-time password (OTPs)
The use of one-time PINs or passwords (OTPs) in security has increased as Two Factor Authentication
(2FA) has become more common.
We focus our attention on the number displayed and repeat it to ourselves (mentally or aloud).
General Human Capabilities and Limitations
One important security criterion for knowledge-based authentication is that a credential should be
difficult to guess. Due to human physical and mental characteristics, the selection of credentials is,
however, often biased towards the familiar, or those that can be more easily distinguished from others.
1. With passwords, people try to pick ones that are easier to recall, e.g., those that have meaning for
them such as memorable names or dates.
2. When users have to choose images as credentials, they prefer strong colors and shapes over more
diffuse ones.
3. When these are pictures of humans, they will pick pictures of 'more attractive' people and those
from their own ethnic backgrounds.
4. When the credential is a particular location within a picture, people prefer features that stand out.
5. With location-based systems, people pick memorable locations, for example, when choosing
locations for a 4-digit PIN on a 5 x 5 number grid, they go for connected locations, anchored on an
edge or corner of the grid
6. The order of the elements of a credential is predictable because there is a strong cultural preference,
e.g., people who speak languages that read left-to-right will choose that order.
7. With finger swipe passwords on Android phones, people pick from a very limited number of shapes
CAPTCHA
Some work on Completely Automated Public Turing test to tell Computers and Humans Aparts (CAPTCHAs)
has investigated supporting users with sensory impairments, e.g.
However, one needs to bear in mind that CAPTCHAs add more effort for the legitimate user, impeding
the achievement Of the intended goal, i.e., access. The usability limitations of these mechanisms that
aim to 'verify' legitimate human users — and their contribution to security fatigue — must be considered.
92
Goals and Tasks
The usability of security mechanisms can be affected by the following physical characteristics:
1. Light: In bright light, displays can be hard to see, which can affect graphical authentication in
particular. Biometric systems such as iris and face recognition rely on input from cameras. Bright
light can lead to glare, which means the images captured are not good enough to process.
2. Noise: Will most obviously interfere with the performance of voice recognition systems. But high
levels of noise also impact human performance in general due to increased stress and, in turn,
increased likelihood of error. Unexpected loud noises trigger a human startle response, which
diverts attention away from the task.
3. Ambient: Temperature can affect the performance of both technology and humans. Fingerprint
sensors can stop working when it is cold, and humans are slower at pointing and selecting. They may
also need to wear protective clothing such as gloves that make physical operations of touchscreens
impossible or difficult. Similarly, too hot an environment can lead to discomfort and sweat can
interfere with sensors.
4. Pollution: Can impact equipment operated outdoors. This is a particularly concern for fingerprint
sensors and touchscreens. The lipids left behind combine with the particles and the resulting dark
grease can clog sensors or leave a clearly visible pattern on the touchscreen.
Capabilities and Limitations of the Device

Some characteristics of the device can result in security mechanisms becoming difficult to use in any
circumstance.
Entering long and complex passwords on soft keyboards on a mobile phone takes far longer and is more
error-prone than on a regular keyboard. And while with frequent use of a keyboard, most people can
become quite proficient at entering a complex password, performance does not improve when humans
hit a basic limitation.
What is particularly worrying from a security point of view is that (without colluding) a user population
starts to converge on a small number of passwords that are easiest to enter with the minimum amount
of toggles, which makes guessing a valid password easier for attackers.
93
Human Error
Four types of latent failures that are more likely to cause people to make errors.
1. Individual factors include fatigue, but also inexperience, and a risk-taking attitude.
2. Human Factors include the limitations of memory but also common habits and widely shared
assumptions.
3. Task factors include time pressure, high workload, and multiple tasks, but monotony and boredom
are equally error-inducing because people shift their attention to diversions. Uncertainty about
roles, responsibilities, and rules also leads to incorrect choices.
4. Work environment factors include interruptions to tasks and poor equipment and information.
People are also particularly prone to error when rules and procedures change.
Latent Design Conditions

"Never give an order that can't be obeyed" - General
MacArthur.
THREAT Never issue a security policy that cannot be

followed.
Security Version of Reason's 'Swiss Cheese' model.

Holes are latent & active failures. When a threat finds

one in successive layers then the threat succeeds.
'Cheese slices' are defenses provided by security
policies & mechanisms.
Awareness and Education

In practice, the three terms: awareness, education, and training, are often used interchangeably but are
different elements that build on each other:
Security Awareness. The purpose of security awareness is to catch people's attention and convince them
security is worth the engagement.
Security education.
Security Training. Training helps people to acquire skills, e.g., how to use a particular security mechanism
correctly, and how to recognize and respond to a social engineering attack.
94
Simulations and games are increasingly being used, both to make security awareness more attractive, and to
help with more complex educational measures and behavioral change.
Anti-phishing simulations designed to teach employees not to click on suspicious links are probably the most
widely used in organizations today.
New approaches to support security awareness and behavior change
Fogg Behaviour Model has three factors: motivation,

ability, and triggers
https:// behaviormodel.org
Behavior change model from RISCS White Paper
95
What usability issues do developers face?
N. Patnaik, J. Hallet and A. Rashid, “Usability smell: an analysis of developers’ struggle with crypto libraries”, in
Fifteenth Symposium on Usable Privacy and Security (SOUPS), Santa Clara, USA, USENIX Association, 2019.
Developers are not the Enemy! The Need for Usable Security APIs
Principies for Usability of Crypto APls
• Abstract: lntegrate cryptographic functionality into standard APls so regular developers do not
have to interact with cryptographic APls in the first place
• Powerful: Sufficiently powerful to satisfy both security and non-security requirements
• Comprehensible: Easy to learn, even without cryptographic expertise
• Ergonomic: Don't break the developer's paradigm. lntuitive: Easy to use, even without documentation
• Failing: Hard to misuse. Incorrect use should lead to visible errors
• Safe: Defaults should be safe and never ambiguous
• Testable: Testing mode. lf developers need to run tests they can reduce the security for convenience
• Readable: Easy to read and maintain code that uses it/Updatability
• Explained: Assist with/handle end-user interaction, and provide error messages where possible
Matthew Green and Matthew Smith IEEE Security & Privacy 14(5), Sept.-Oct. 2016.
96
Usability Smells: An Analysis of Developers’ Struggle With Crypto Libraries
Fowler's Shotgun Surgery
"You whiff this when every time you make a kind

of change, you have to make a lot of little changes
to a lot of different classes. When the changes are
all over the place, they are hard to find, and it's
easy to miss an important change"
- Definition of Shotgun Surgery.
Nikhil Patnaik, Joseph Hallett and Awais Rashid

Proceedings of 15th lnternational Symposium on
Usable Privacy and Security (SOUPS) 2019.
97
98
Rights
Module 5: Privacy & Online
Introduction
• The goal of this knowledge area is to introduce system designers to the concepts and technologies
that are used to engineer systems that inherently protect users’ privacy
• Privacy is recognized as a fundamental human right
• “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence,
nor to attacks upon his honor and reputation”
Overview
• Privacy as Confidentiality
• Data Confidentiality
• Metadata Confidentiality
• Privacy as Control
• Support for privacy settings configuration
• Support for privacy policy negotiation
• Support for privacy policy interpretability
• Privacy as Transparency
• Feedback-based transparency
• Audit-based transparency
• Privacy Technologies and Democratic Values
• Privacy technologies as support for democratic political systems

• Censorship resistance and freedom of speech
• Privacy Engineering
Privacy as Confidentiality
In a technical re-interpretation of the ‘right to be let alone’ privacy definition, a common conceptualization
of privacy is to avoid making personal information accessible to any entity, in particular to a wider public.
Under this definition, the objective of privacy technologies is to enable the use of services while
minimizing the amount of exposed information. Here, information refers to both data exchanged
explicitly with the service, as well as information made implicitly available in the Metadata associated
with these exchanges (e.g., the identity of the users or frequency of usage).
99
What is the problem?
• Data Sharing
• Filling out a Health questionnaire at the doctor’s office
• Revealing the location and time of your awesome house party to your close friends
• Contextual: the same information in another setting may be privacy leak
• Likely aware of the extent and parties involved
• Data Collection
• As a consequence of activity or interaction
• Browsing at a coffee shop
• MAC address recorded for profile
building on store visits
• DNS information about website visits
• Paid for coffee or snacks (name and
financial information)
• Likely unaware or uninformed about extent or
parties involved
What is privacy?
• About People
• Identifying information leading to a natural person
• Linking people to their
• beliefs,
• circumstances,
• associations,
• behaviours,
• and more
100
Defining Privacy
• Privacy as a human right

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor
to attacks upon his honour and reputation”
-Article 12, UN Declaration of Universal Human Rights.
• More articulations:
• “Information self-determination”
• “the right to be let alone”
• “the freedom from unreasonable constraints on the construction of one’s own identity”
Privacy as…
• Transparency
• Control
• Confidentiality
Privacy as Transparency
• Inform
• what is collected and

• For what purposes
• By whom
• For how long
• and so on
• Privacy policies
• Transparency reports
Privacy as Control
• Control
• If data can be used/shared
• What kind of access is granted
• What kind of processing can be done
• Consent forms
101
Limits of Control and Transparency
• No way to prevent (control) what is revealed

• IP addresses on network traffic
• Explicit list of information (transparency) may not be possible to enumerate
• Joining two or more sources of data together to form a more complete profile
• Ad trackers
• Unexpected correlated information in collection
• Genomic data of family members
• Hiding your information
• Encryption
• Secret key needed
• Obfuscation
• No cryptographic secrets
• Know where to look and how to undo the obfuscation
Privacy Threat Landscape

• Data (at rest, in transit, or in processing)

• Posts, status updates, tweets, pictures, check-ins
• Genomic
• Location (check-ins, maps)
• Meta-data
• Timing, message lengths, IP addresses
• Device/application fingerprints
Formal Approach to Inference Control
• Two variants
• Local: noise is added before it is added to the database.
• Global: noise is added to the answer of the query and there is a DB request handler that mediates
between the query requestor and the database
• Contrast the case where the database is sanitized and then published publicly, as before
102
Data Confidentiality
• Cryptography-based access control
• Protecting data in transit
• Protection of data during processing
• Verification in the encrypted domain
• Private computation-input verification
• Private authentication
• Private payments
• Obfuscation-based inference control
• Anonymization
• Generalization
• Suppression
• Perturbation
• We would like to keep our data private (not shared) but also use it to do useful computations in
collaboration with others
• Is that even possible?

• Secure multi-party computation
• Homomorphic Encryption

Data Confidentiality
• There are four main techniques to obfuscate data, as described below. We note that these techniques
are mostly oriented to obfuscate numerical or categorical fields. Obfuscating more complex content,
such as free text, is a much more difficult task due to correlations that are hard to remove in a systematic
manner
103
Anonymization:
A common technique used to permit data processing without risk for individuals is data anonymization.
Anonymisation, as its name indicates, seeks to decouple identity from information

Generalisation:
This technique consists in reducing the precision with which data are shared, with the goal of reducing the
accuracy of the adversary’s inferences. Generalisation can be achieved via a direct precision reduction

Suppression:
This technique consists in suppressing part of the information before it is made available to the adversary.
The rationale behind suppression is that the fewer the data are provided to the adversary, the more difficult
is for her to make inferences. The suppression strategy, which decides which information to hide, is key for
the level of privacy protection that such a scheme may provide
104
Dummyaddition:
This technique consists in adding fake data points, so-called dummies, to the data made available to the
adversary in order to hide which are the real samples.
The idea is that, as the adversary considers fake points when running the attack, her inference will have
errors.

Perturbation:
Perturbation techniques inject noise into the data made available to the adversary.
The noise is aimed at reducing the adversary’s inference performance.
Similar to suppression techniques, the strategy used to introduce noise plays a crucial role in the level of
privacy provided.
105
Metadata Confidentiality
There are three types of metadata that have been demonstrated to be extremely vulnerable to privacy
attacks: traffic metadata, associated to the communication infrastructure; device metadata, associated
with the platform generating the data, and location metadata, associated with the physical location
from which data is generated.
Traffic Metadata.
Network-layer information, such as the identities of the participants in the communication (IP
addresses), the amount and timing of the data transferred, or the duration of the connection, is
accessible to observers even if communications are encrypted or obfuscated. This information,
commonly known as traffic data, can be exploited to deduce potentially sensitive private information
about the communication.
Device Metadata.
In today’s optimized Internet services, the concrete characteristics of users’ devices are frequently
sent along with their data requests in order to optimize the service providers’ responses. Even if users
are anonymous on the network layer, these characteristics may become a quasi-identifier that enables
service providers to track users across the web.
Location metadata.
Finally, a user’s geographical location revealed to online services can be used to infer sensitive
information. This information can be revealed explicitly, for example, when the user makes queries to
location-based services to find nearby points of interest or friends; or implicitly, for example, when GPS
coordinates are associated with photos or content published on social networks, or inferred from the
access point used to access the Internet.
106
Privacy as Control
Support for privacy settings configuration.

Privacy settings are those controls in a web service that allow users to express their preferences
regarding how data should be revealed to other users, shared with third parties, and processed by the
service providers.
Support for privacy policy negotiation

The previous technologies support users at the time of configuring their privacy settings in an online
service. An orthogonal line of work is dedicated to automating the communication of user preferences
to the service, or between services.
Support for privacy policy interpretability

In order to configure the privacy settings according to their expectations of how data should be
handled, users need to understand the privacy policies that describe the meanings of these settings.
These policies are often long, verbose, and contain a lot of legal terms; and they often evolve over time.
Thus, users find them difficult to understand.
Privacy as Transparency
As opposed to technologies that limit data disclosure or the use of disclosed data, transparency

mechanisms analyze users’ online activities in order to either provide them with feedback about the
implications of their actions or run audits to check that there has been no violation of privacy.
Feedback-based transparency.
Audit-based transparency.
Privacy Technologies
Privacy protection is crucial for underpinning the values that support our democratic societies.
Two examples that highlight the importance of privacy technologies in supporting democracy
1. Privacy technologies as support for democratic political systems.

Electronic voting (eVoting)
Anonymous petitions.
2. Censorship resistance and freedom of speech.
Censorship systems attempt to impose a particular distribution of content across a system.
Data publishing censorship resistance.
Data access censorship resistance.
107
Privacy Engineering
The growing privacy concerns in society have made the concept of ‘privacy by design’ very popular
among policy makers.
This concept advocates for the design and development of systems that integrate privacy values to
address users’ concerns.
The two primary goals when designing privacy-preserving systems are to:
• Minimize trust
• Minimize risk
To minimize both trust and risk, privacy experts typically design systems in accordance with the
following strategies:
• Minimise Collection: Whenever possible, limit the capture and storage of data in the system
• Minimise Disclosure: Whenever possible, constrain the flow of information to parties other
than the entity to whom the data relates. This refers both to direct flows between senders and
receivers and to indirect flows, e.g., use of control techniques to limit the information available
when publishing or querying a dataset
• Minimize Replication: Whenever possible, limit the number of entities where data are stored or
processed in the clear
• Minimize Centralization: Whenever possible, avoid a single point of failure regarding the privacy
properties in the system
• Minimize Linkability: Whenever possible, limit the capability of the adversary to link data
• Minimize Retention: Whenever possible, limit the amount of time information is stored
Strategies to minimize unnecessary information are:
• Keep the data local:

Perform any computation on sensitive data on the user side, and only transmit the result of the
operation. Additional information, such as zero-knowledge proofs or commitments, may be needed
to guarantee the correctness of the operations.
• Encrypt the data:
Encrypt the data locally and send only the encrypted version to other entities. If any operations on
the data are needed, see the next point.
108
• Use privacy-preserving cryptographic protocols:
Process data locally to obtain inputs to a protocol in which, by interacting with the untrusted
entities using one of the protocols introduced in the previous sections, the user can obtain or prove
information while limiting the information made available to those entities.
• Obfuscate the data:
Use techniques to control inference to process the data locally and only send the perturbed version
to the untrusted entity.
• Anonymize the data:
Process the data locally to remove identifiable information and send it to the untrusted party via an
anonymous channel.
Privacy Evaluation
This evaluation has the goal of quantifying the level of privacy that the technology, and respectively the
system, can provide.
For privacy technologies based on cryptographic primitives, the privacy evaluation typically covers the
cryptographic proofs that ensure that only the intended information is leaked by the operations.
On the contrary, for privacy techniques based on obfuscation, it is necessary to carry out an analysis to
validate that the combination of techniques provides the desired level of privacy.

Conclusions
Protecting privacy is not limited to guaranteeing the confidentiality of information. It also requires
means to help users understand the extent to which their information is available online, and mechanisms
to enable users to exercise control over this information.
Preserving privacy and online rights is not only important for individuals, it is essential to support
democratic societies.
The deployment of privacy technologies is key to allow users free access to content, and freedom of
speech.
109
110
Technologies
Module 6: Malware & Attack
Introduction
• A taxonomy of Malware
• Malicious Activities by Malware
• Malware Analysis
• Analysis Environments
• Identifying the Analysis Environments
• Anti-Analysis and Evasion Techniques
• Malware Detection
• Malware Response
Malware
Malware is short for ‘malicious software, that is,
any program that performs malicious activities.
We use the terms malware and malicious code
interchangeably.
Malware comes with a wide range of shapes

and forms, and with different classifications
accordingly, e.g., viruses, Trojans, worms,
spyware, botnet malware, ransomware, etc.

A Taxonomy of Malware
• Many types of malware
• Often also “Potentially Unwanted
Programs (PUPs)
• Identify common characteristics
• Useful to develop general countermeasures
• We identify six main dimensions
111
Malware Taxonomy: Dimensions
• (1) Standalone vs Host-Program

• Is it an independent program, or is it part of
another program?
• (2) Persistent vs Transient
• Is it on filesystem, or just in memory?
• (3) Layers of System Stack
• Firmware, boot sector, operating system
kernel, drivers, APIs, user applications
• (4) Auto-Spreading?
• Does it spread automatically, or does the Email
infection happen through user actions?
(e.g., emails)
• (5) Dynamically Updates?
• Static (one-time) vs dynamically updated
• (6) Coordinated?
• Is it part of a coordinated network (e.g.,

botnets)?
Taxonomy: Examples
112
Potentially Unwanted Programs (PUPs)
A potentially unwanted program (PUP) is typically a piece of code that is part of a useful program
downloaded by a user.
For example, when a user downloads the free version of a mobile game app, it may include adware, a
form of PUP that displays ad banners on the game window.
Often, the adware also collects user data (such as geo-location, time spent on the game, friends, etc.)
without the user’s knowledge and consent, in order to serve more targeted ads to the user to improve
the effectiveness of the advertising.
PUPs are in a grey area because, while the download agreement often contains information on these
questionable behaviors, most users tend not to read the finer details and thus fail to understand exactly
what they are downloading.
Malicious Activities by Malware
• Malware codifies malicious activities intended by an attacker

• Malware attacks require a multi-step approach
• Example:

• USB Key left in parking lot
• Someone out of curiosity picks it up inserts it in a PC
• USB Key contains auto-install malware
• Exfiltrates information
• Cyber Kill Chain model
Confidentiality: It can steal valuable data, e.g., user’s authentication information, and financial and
health data.
Integrity: It can inject falsified information (e.g., send spam and phish emails, create fraudulent clicks,
etc.) or modify data.
Availability: It can send traffic as part of a distributed denial-of-service (DDoS) attack, use up a large
amount of computing resources (e.g., to mine cryptocurrencies), or encrypt valuable data and demand
a ransom payment.
113
The Cyber Kill Chain
Reconnaissance Gather information Exploitation Execute exploit on victim system
Weaponization Prepare exploits into malicious payload Installation

Install permanently on target system
Command and Control

Delivery Send malicious payload (C&C) Establish remote command connection
Action on objectives
The Cyber Kill Chain Model

114
Underground Eco-system
• Organized Cyber-crime
• Support full malware lifecycle
• Development
• Deployment
• Operations
• Monetization
• Specialized roles
• Plausible deniability
• More effective malware
• 9-to-5 malware development

• Underground markets
Action Objectives
• Toolkits
• Easy-to-use automated tools (e.g., keyloggers)
Campaigns

•
• Large-scale attacks (e.g., botnet)
• Long-running
• Advanced Persistent Threats
• Target specific organization
• Low and slow
• Lateral Movement and Data Exfiltration
115
Malware Analysis
Why Malware Analysis?
Benefits include:
• Understand intended malicious activities
• Useful to attribution
• Understand and predict trends/scope of
malware attacks
• Three typical phases:

• Understand Malware Format
• Static Analysis
• Dynamic Analysis
Acquiring Malware Data
• Network/Host Sensors in Protected

Environment
• Capture malware “live”
• Malware Collection Efforts
• E.g., researchers
• Threat Intelligence Exchange
• Legal/Ethical Responsibilities
• Avoid damage
• Share responsibly
Static Analysis
• Examine malware code without executing it Program Analysis
• Binary code
• Intermediate code (e.g., bytecode)
• Source code
• Pros
• Better coverage of behaviors
• Safe
• Limitations
• Overestimates behaviors
• Weak to obfuscation
116
• Monitors runtime behavior of malware
execution to identify malicious behaviors
• Typically, from a stack layer lower than the
malware itself
• Pros
• You see actual behavior
• (Relatively) language-independent
• Limitations
• Underestimates behavior (coverage,
triggers)
• Safety and Live-Environment
Other Analysis Techniques

• Fuzzing
• Randomised input to programs
• To discover vulnerabilities/bugs/crashes
• Also trigger malware behavior
• Limitation: code coverage

• Symbolic Execution
• It treats variables and equations as symbols and formulas that can potentially express all program
paths
• Limitation: Convergence (needs to execute end-to-end, one at a time)
• Concolic Execution
• Combines Concrete and Symbolic Execution.
• Online Concolic Execution: forking on all feasible branches
117
Analysis Environments
Internet?
• Dedicated environment for Dynamic Analysis
Live C&C?
• Results/Cost Trade-Off.
• Cost
• Analysis Time
• Manual Human Effort
• Other aspects:
• Safety
• Live-environment
Common Environments
• Machine Emulator
• Code-based architecture emulation
• Type 2 Hypervisor
Ease of Use
• Runs in host OS, provides v service for hardware
• Type 1 Hypervisor
• Runs directly on system hardware

• Bare-metal machine
• No virtualization
118
Safety and Live-Environments
• Safety Internet?
Live C&C?
• The malware may do malicious actions. Can
we allow it?
• Also legal implications
• Virtualized network environments
• Does the malware exhibit intended
malicious behaviors?
• Network connectivity
• Real users on the machine
• C&C/update servers online
Anti-Analysis and Evasion Techniques

• Evading Analysis Methods
• Anti-disassembly
• Obfuscation
• Packing

• Control-flow obfuscation
• Code emulation
• Identifying the Analysis Environments
• Red-pill testing (e.g., discrepancies CPU
instructions)
• User events, logs, history
• Installed applications
119
Malware Detection
Identify the presence of a malware
The process of locating a malicious program residing within a host involves identifying clues that are indicative
of the malware’s presence on a computer system. We call these clues ‘indicators of compromise’, and they are
the ‘features’ or ‘artifacts’ of malware.
• Network-level (e.g., distribution)

• Host-level (e.g., stored/in-memory)
• AVs or IDS may prevent it Indicators of Compromise (IoCs)

• Features and artifacts of the malware
Evasion and Countermeasures
• Malware is commonly distributed via an

Internet download. A vulnerable Internet-

facing program running on a computer can
be exploited to download malware onto the
computer.
• Evading signature-based misuse detection
• Packing
• Polymorphism
• Update routine
• Heuristics (e.g., high entropy) may lead to false
alarms
120
Detection of Malware Attacks
• Solution: Aim to detect malicious activities in

general
• Anomaly detection
• Network-based monitoring
• Network events
• Domain names
Prevent infection
• Temporal activities or detect it
during execution
• Host-based monitoring
• File system
• Processes Example: Ransomware
• System Calls Anomalous encryption
operations
For ransomware detection, the main approaches include monitoring host activities involved in
encryption. If there is a process of making a large number of significant modifications to a large number
of files, this is indicative of a ransomware attack [82]. The ‘significant’ modifications reflect the fact that
encrypting a file will result in its contents changing drastically from its original contents.

Since many malicious activities are carried out by botnets, it is important to include botnet detection
methods.
Bots of the same botnet are controlled by the same attacker and perform coordinated malicious
activities.
ML-based Security Analytics
• Machine Learning
• Static and Dynamic Features
• Build Models from Data
• Distinguish Benign from Malicious Objects
121
ML-based Malware Detection
• Static and Dynamic Features

• Successful application: Botnet
• Domain Generation Algorithms (DGA)
• Fast-flux operations
• C&C Server communications
• ML Limitations:
• Challenging Feature Engineering
• Adversarial attacks
• Costly labeling for malware Deep Learning: poor
explainability
Evasion of ML-based Malware Detection

• Attackers are well aware of the detection
methods that have been developed, and they
are employing evasion techniques to make
their attacks hard to detect. Partial countermeasures
• Ensemble of models
• Mimicry Attack
• Evasion
• Robust optimization
• Recreate normal behavior (e.g., sequence • Forget learning of old
of system calls) samples (against
• Polymorphic blending attack of network
poisoning)
traffic
• Targeted noise injection
• Poisoning: “garbage in, garbage out”
122
Concept Drift
• Malware evolves rapidly
• Solutions:
• Active Learning
• Online Learning
Malware Response

• After detection and possible mitigation, what can we do?
• Remove the malware and recover the data and services from secure backups
• Update corresponding Firewall and Network intrusion detection system rules, to prevent and
detect future attacks.
• Attempt to take down malware command-and-control (C&C) infrastructure
• Disrupt malware operations

• Takedown
• ‘sinkholing’ the domains
• Partition the P2P botnet into isolated sub-networks
• Malware has also become increasingly resilient by including contingency plans
123
Disrupt Malware Operations
• Malware is often resilient and has contingency

plans
• Identify C&C mechanisms
• Reverse-engineer DGA algorithms Possible legal
• Identify P2P backup networks implications to be
• Takedown the network by taking control of verified before
the infrastructure
proceeding
Attribution
• Law Enforcement wants to identify actual
malicious actors
• Some hints for attribution:

• WHOIS records
• Coding style Right direction:
• Linguistic features Integrate multiple
• Control flow graphs
streams and sources of
• Limitations: data and evidence.
• WHOIS records often anonymized
• Toolkits are often reused
• False flags to deceive attribution
124
• Identify malware authors
• Identifying the virtual attacker is an important first step toward this goal. An attacker may
have consistent coding styles, reuse the same resources or infrastructures, or use similar C&C
practices
• Programming styles and code quality

• Sequence of instructions and register flow graph
• Unknown TDSS/TDL4 botnet ad-fraud C&C domains share the same IP infrastructure with
known domains, and they are registered by the same set of email addresses and name servers
Evasion and Countermeasures

Many malware authors reuse different kits for the convenience offered by the business model of the
under-ground economy.
Authors can also evade attribution by intentionally planting ‘false flags’ in malware.
Domain registration information, WHOIS, is a strong signal for attack attribution. The same attacker
often uses a fake name, address, and company information following a pattern.
Malware interrogation helps recover more C&C domains used by the fallback mechanism, which offers

more opportunities for attribution.
Conclusion
• Attackers use malware to carry out malicious activities on their behalf
• Different layers of system stack
• Possibly support infrastructure
• Botnets
• Wants to avoid detection and attribution
• Detecting analysis environment
• Obfuscation
• Defenders should work on

• Analysis of environments transparent to malware
• Specialized program analysis algorithms
• ML-based techniques
• Malware response strategies (e.g., takedown)
125
126
Behaviour
Module 7: Adversarial
Introduction
A Characterization of Adversaries Cyber-enabled and cyber-dependent crimes

• Interpersonal offenders
• Cyber-enabled organized criminals
• Cyber-dependent organized criminals
• Hacktivists
• State actors
The Elements of a Malicious Operation
• Affiliate programmes
• Infection vectors
• Infrastructure
• Specialized services
• Human services
• Payment methods
Models to Understand Malicious Operations
• Attack trees
• Environmental criminology
• Attack attribution
The Internet has created multiple opportunities for adversaries to cause harm.

This lesson provide an overview of the malicious activities happening on the Internet today, focusing on
the elements needed by adversaries to succeed in their operations.
A Characterization of Adversaries
Our characterization is based on the motivation of offenders and is driven by case studies analyzed by
researchers over the past years.
Cyber-enabled crimes
Crimes that existed before the Internet, but that were increased in reach and scale by it (e.g., fraud).
Cyber dependent crimes

Crimes that are only possible through the use of computers (e.g., DDoS).
127
Interpersonal Offenders
Cyberbullying - Sending or posting harmful material or engaging in other forms of social aggression
using the Internet or other digital technologies.
Doxing - An attack where the victim's private information is publicly released online.
Cyberstalking - The practice of using electronic means to stalk another person.
Sextortion - Luring victims to perform sexual acts in front of a camera and threatening to release it
unless a ransom is paid.
Child predation - Criminals find their victims through chat rooms, social media, or online gaming
platforms.
Cyber-enabled Organized Criminals

Cyber-enabled crimes carried out by career criminals
Advance fee fraud — The victim is promised a reward (financial or otherwise), but in order to obtain it
has to first pay a small fee to the fraudster. After the payment takes place, the victim often does not hear
from the scammer again. Losses can amount to 240k USD.
Drug dealing — Thanks to anonymizing technologies such as Tor and cryptocurrencies, online
marketplaces have emerged where drug users can purchase illicit substances and have them delivered
directly to their homes.
Cyber-dependent Organized Criminals

Crimes that have a financial goal and are carried out through complex technical infrastructures (E.g.,
botnets)
Email spam — Unsolicited bulk email has been at the forefront of very successful criminal operations,
who have managed to monetize the sale of counterfeit goods and pharmaceuticals by reaching billions
of potential customers through malicious messages.
Phishing. A particular type of spam is phishing, where criminals send emails that pretend to be from
genuine services (e.g., online banking, social network websites)
Financial malware — Criminals aim to install malware on their victims' computers and steal financial
credentials such as credit card numbers and online banking usernames and passwords.
Click fraud. Web advertisements are the main way the Web is monetized.
128
Unauthorized cryptocurrency mining. With the increasing popularity of cryptocurrencies, a new
opportunity has opened up for criminals: using infected computers to mine currency.
Ransomware. The newest trend in malware is Ransomware. As part of this operation, criminals infect
their victim systems with malware which encrypts the user’s personal files (e.g., documents) and sends
the encryption key to the criminal, who then asks for a ransom in exchange for giving the user access to
their data again.
Denial of service. A feature that all Internet-connected devices have is network connectivity. A criminal
can leverage the bandwidth of an infected device to perform a Distributed Denial of Service (DDoS)
attack against a target.
Hacktivists
We define the act of computer crime motivated by a political goal as hacktivism.
Denial of service — Launching denial of service attacks against organizations that go against certain
political views (e.g., Anonymous)
Data leaks — E release of stolen documents into the public domain, for example, to raise awareness
about secret surveillance programs by governments

Web defacement — Miscreants exploit vulnerabilities in the websites of organizations they disagree
with and use them to change the home page of the website to a politically-charged one.
State Actors
In the past few years, we have observed an escalation in the use of computer attacks by state actors to
achieve their goals.
Sabotage — Attacks (e.g., malware) are launched to sabotage the critical infrastructure of a country.
Espionage — Sophisticated malware is used to infiltrate organizations and steal sensitive data.
Disinformation. In the past two years, evidence has emerged that state-sponsored actors have been
involved in spreading disinformation on social media. This has been done through troll accounts that
acted to polarize online discussion on sensitive topics.
129
The Elements of a Malicious Operation
Malicious operations often need complex infrastructures to operate
• These operations need to be as efficient as possible

• These operations need to be as resilient as possible
To ensure that the criminals' needs are met in this scenario, in recent years we have witnessed a
specialization in the cybercriminal ecosystem, where different actors specialize in a specific elements
required for the operation to succeed.
The miscreants then trade these services with each other on the black market.
Affiliate programmes — A scheme where main organization provides a 'brand' and all the means
required to carry out orders, shipments, and payments.
Infection vectors — How to infect victims with malware?
• Malicious attachments
• Blackhat Search Engine Optimization
• Drive-by download attacks
Compromising of Internet-connected devices. (IoT)
Infrastructure — Where to host malicious content?

• Bulletproof hosting service providers
• Command and control infrastructure
Specialized Services
Services that help criminals set up their operations
Exploit kits — Tools that collect a large number of vulnerabilities and are sold on the black market for
other criminals to use.
Customers can point their victims towards it by compromising websites or using malicious
advertisements.
Pay-per-install services (PPI) — PPI operators are proficient in setting up a botnet and having it run
properly. Other criminals can then pay the PPI operator to install malware on the infected computers
on their behalf.
130
Human Services
Auxiliary services are needed for an end-to-end cybercriminal operation to succeed.
• Captcha solving services

• Fake accounts
• Content generation
• Money mules
Payment Methods
As criminals need to have money transferred to them, they can use a number of different payment
methods, each carrying a different level of risk and being more or less familiar to the victims.
• Credit card processors

• Paypal
• Western union and other money transfer services (‘untraceable’payments)
• Cryptocurrencies
Models to Understand Malicious Operations

• Attack trees

• Kill chains
• Frameworks from environmental criminology
• Routine activity theory
• Rational choice theory
• Pattern theory of crime
• Situational crime prevention
• Attribution of cyber attacks
131
132
Cyber Kill Chain
Attack Trees : Example of an Attack
Environmental Criminology
Environmental criminology, in particular, is a branch of criminology that focuses on criminal patterns

in relation to the space where they are committed and to the activities of the actors involved (victims,
perpetrators, and guardians)
Routine activity theory.

Routine activity theory is a commonly used concept in environmental criminology, postulating that the
occurrence of crime is mostly influenced by an immediate opportunity for one to commit a crime.
Rational choice theory.
Rational choice theory aims to provide a model as to why offenders make rational choices to commit
crime.
Pattern theory of crime.
Another theory, called the pattern theory of crime, allows researchers to identify various places that
are related to crime.
Situational crime prevention.
Situational crime prevention comprises a set of theories and techniques that aim to reduce crime by
reducing the opportunities for crime.

• Crime is much more likely to happen in certain places(hotspots). Criminals tend to concentrate
their malicious servers in bulletproof hosting service providers, which provide them with guarantees
that their operations can continue for long periods of time
• Crime is concentrated in particular ‘hot products’
• Repeat victims are more likely to experience crime compared to other people
Crime prevention proposes five categories of mitigations.
1. Increase the effort of crime. Mitigations here include deploying firewalls and setting up automated
updates for software installed on computers.
2. Increase the risk of crime. Mitigations here include reducing payment anonymity (e.g., requesting
an ID when someone cashes money from Western Union).
3. Reduce rewards. Mitigations here include blocking suspicious payments or parcels or penalizing
malicious search results.
4. Reduce provocations. Examples here include applying peer pressure to rogue ISPs and banks.
5. Remove excuses. Typical mitigations in this category include running education campaigns or setting
up automated redirects to divert victims who would have viewed malicious content, explaining to
them what happened, and urging them to secure their systems.
133
Crime scripting.
Another useful technique that can aid the analysis of malicious activities on the Internet from the field of
criminology is crime scripting
Attack Attribution
Law enforcement is interested in understanding what criminals are behind a certain operation, and
in particular, attributing apparently unrelated cybercriminal operations to the same actors could help
build a legal case against them.
In a similar fashion, governments are interested in identifying the culprits behind the attacks that they
receive. In particular, they are interested in finding which nation-states (i.e., countries) are behind these
attacks.
134
Management
Module 8: Security
Operations & Incident
135
Introduction
• Fundamental concepts
• Monitor: Data sources
• Analyze: Analysis methods
• Plan: Security information and event management
• Execute: Mitigation and countermeasures
• Knowledge: Intelligence and analytics
• Human factors: Incident management
What is it about?
• Information systems are targets of attacks
• Resources
• Information
• Full protection is impossible

• Limits use
• Cost
• Detecting attacks as early as possible is the next best option

Timeline and Scope
Needs have evolved to meet the

increasing complexity of systems,
services and attacks.
136
Overall MAPE-K loop

Components of MAPE-K Monitor-Analyse-Plan-Execute
• Intrusion detection systems (IDS)
• Monitor systems and networks to create or collect execution traces
• Analyse them (in real time) to detect issues and provide alerts
• Security Information and Event Management (SIEM) platforms
• Analyse events and alerts to triage them according to their impact; identify incidents
• Plan: select potential responses to incidents
• Execute: push recommendations to system and network analysts
• Security Orchestration, Analytics and Reporting (SOAR) platforms
• Analyse further the collected information (events, alerts, incidents)
• Plan: assess response plans according to business impact
• Execute: partially automate deployment of response plans
137
Deployment of SOIM Technologies
• Segmentation of the network in zones

• Sensitivity
• Quantity of exchanges
• Sensors and log feeds deployed to collect traces and detect malicious behaviour
• Private network to gather event and alert feeds
• SIEM platform to manage events, alerts and incidents

• Technical support of Security Operating Centre (SOC)
Architectural Principles Typical Architecture

138
Intrusion Detection and Prevention Systems
• Process traces of execution

• Representative of the activity of a « system »
• Enable differentiation between normal and malicious activity
• Separate appropriate from malicious activity

• Rationale for suspicion (what)
• « Evidence » if possible (why)
• Levels of suspicion frequently used
• Raise alert: symptom of misbehaviour
MONITOR: Data sources
Data sources landscape
139
Network Data Sources: Possible Detections
• Network packets
• Carriers of attacks (e.g. malware in payload)
• Symptoms of compromise (e.g. connection to Command & Control infrastructure)
• Network aggregates
• Deviations in traffic patterns (ports, conversations, volume)
• Network infrastructure
• Use of the Domain Name System (DNS) for command and control
• Manipulation of the routing infrastructure to reroute traffic or hide malicious activity
Application Data Sources

• Traces provided by applications related to their runtime behaviour
• Web servers in particular
• Representing specific activity
• Usually collected through system mechanisms

• Unix: /var/log
• Syslog
Also includes documents

•
• Complicated parsing
System Data Sources

• Kernel logs
• Intercepted very low in the execution path (assembly)
• Focusing on malware detection
• Interest in the Android ecosystem

• Understand interactions between apps and supporting libraries
• Call-back mechanism obscures malicious activities
140
Syslog
• Generic logging infrastructure

• Entry composed of
• Timestamp
• Hostname
• Process
• Priority
• PID
• Message
• Extremely useful both for event and alert management
Frequent Data Sources Issues

• Normalization, canonization and labelling
• Syntax of the data
• Semantic of the data
• Transformation to meet needs of detection algorithms
• E.g. transform text data in numerical form
• Encrypted data flows
• Access limited to the outer envelope of the data

• Voluminous data flows
• Limits transportation and storage
• Personally Identifiable Information (PII)
• Conflict between technical data and PII: network addresses
Analysis of Traces
• Objective: Generate incidents from alerts and events
• Intrusion detection sensors
• Deployed in the field
• Collect event information
• Produce alerts
• Analysis techniques
• Misuse detection
• Anomaly detection
141
From Event to Incident
Analysis: from event to alert to incident
Misuse Detection
• Gather knowledge about attack processes

• Model occurrence of attack in traces
• Signatures
• Detect presence of such occurrence in current trace
• Advantage
• Alerts are qualified by a root cause
• Drawback
• Management of attack process knowledge
• Expertise and time
142
Anomaly Detection
• Gather knowledge about process behaviour

• Expected behaviour (e.g. standards and policies)
• Behaviour learned through observation
• Machine learning
• Detect presence of such occurrence in current trace
• Define deviation from the norm
• Advantage
• Unknown attack processes are detected by their side effects
• Drawback
• Diagnosis of alert impact
• Selection of behavioural model (many possibilities)
• Attack-free training (ground truth)
General Intrusion Detection Issues

• False positives
• False negatives
• Base-rate fallacy
• Magnitude of difference between the volume of attacks and the volume of normal activity in

traces
• Metrics for testing and evaluation
Typical Architecture Security Information and Event Managementures
143
Data Collection in SIEMs
• Definition of
• Schema: structure and semantic of messages
• Encoding: transformation of message in bit string
• Transport protocol
Alert Correlation
• Objectives
• Reduce the number of alerts to process

• Automatically identify false positives
• Group alerts into incidents
• Propose remediations
• Correlations techniques
• Alerts sharing the same characteristics (addresses, ports, etc.)
• Alerts associated with contextual information
• Environment
• Cyber-Threat Intelligence
• Information exchange
144
Mitigations and Countermeasures Tools and Techniques
• Intrusion Prevention Systems

• Immediately apply remediation to the data stream upon detection
• Block or terminate connections at the network level
• Change content (a.k.a. virtual patching)
• Traffic management for denial of service attacks
• Dedicated tunnels
• Anycast
• Impact and risk assessment
• Understand the business risk associated with the incident
Intelligence and Analytics
• Relevant normalized knowledge sources

• Common vulnerabilities and exposures
• Common vulnerability scoring system
• Common Weakness Enumeration
• Common Attack Pattern Enumeration and
• Classification
• Adversarial Tactics, Techniques & Common Knowledge

• Honeypots and honeynets
• Cyber-Threat Intelligence
• Understand malicious activity in the Internet
• Identify relevant threats and deploy detection/protection means
• Share compromise information
• Information Sharing and Analysis Centres
145
Incident Management Lifecycle
Conclusion
• Security Operations and Incident Management are increasingly relevant

• Wide range of connected devices
• Complex dynamic systems
• DevOps
• Require skilled personnel

• Automation
• Decision support
146
Exam
Module 9: Certification
147
Badge
https://www.credly.com/org/certiprof/badge/cyber-security-foundation-professional-certificate-
csfpc
Exam Conditions
The exam format is as follows:
• Multiple choice
• 40 questions
• 32 marks required to pass – 80%
• 60 minutes duration
• Closed book
You will have two attempts within 180 calendar days after you receive your initial welcome email to pass
the test at no cost.
148
www.certiprof.com
149

Material Fcybersecurity Foundation CSFPC V062022A en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Material Fcybersecurity Foundation CSFPC V062022A en

Uploaded by

Copyright:

Available Formats

Who is CertiProf®?

Our Accreditations and Affiliations

CertiProf® is a Corporate Member of the Agile

By joining the Agile Alliance corporate program,

IT Certification Council - ITCC

CertiProf® is an active Member of ITCC.

The fundamental purpose of the ITCC is to

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

This alliance allows people and companies

Credly is the largest repository of badges in the

Earners with this badge have proven their

• Be a CertiProf certification candidate

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

Cyber Security Program Based on CyBOK

• Cyber Security Foundation CSFPC

• Understand the importance of Cybersecurity

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

Module 0: NIST - Cybersecurity for Small Business 16

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

Risk Assessment and Management Principles 59

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

Usability Smells: An Analysis of Developers’ Struggle With Crypto Libraries 97

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

Components of MAPE-K Monitor-Analyse-Plan-Execute 137

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

Why Cybersecurity Matters for your Small Business

Complexity of a Modern Small Business

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

credit card information.

Protecting information from unauthorized access and disclosure.

Protecting information from unauthorized modification.

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

Preventing disruption in how information is accessed.

Vulnerability Business Costs Reputation

Attackers can see Attacks can be Customers and

Cybersecurity Basics Resources

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

• Unauthorized access to systems and information

• What are the threats?

• Damage to information or information systems

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

What are you protecting?

1. Identify your business’ assets

Customer info Key employees

Identify your business assets on the worksheet.

CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM

Receiving payments from

3rd party email provider

2. Identify the Values of the Assets

• What would happen to my business if this asset was

Devices storing patient

3rd party email provider Medium

3. Document the Impact to your Business of Loss/Damage to the Assets

Patient health information High, due to regulations High

Devices storing patient

Medium (can institute

Receiving payments from

3rd party email provider Medium Medium

• List the threats to each business asset

Impact of loss / Damage Likelihood of loss/damage

Devices storing patient

Medium (can institute

Receiving payments from