Professional Documents
Culture Documents
Material Fcybersecurity Foundation CSFPC V062022A en
Material Fcybersecurity Foundation CSFPC V062022A en
CertiProf® is an Examination Institute founded in Unites States in 2015. Located in Sunrise, Florida.
Our philosophy is based on the creation of knowledge in community and for this purpose its collaborative
network is made up of:
• CLL's (CertiProf Lifelong Learners) certification candidates are identified as Continuing Learner,
proven their unwavering commitment to lifelong learning, which is vitally important in today's ever-
changing and expanding digitalized world. Regardless of whether they win or fail the exam
• ATP's (Accredited Trainer Partners) universities, training centers and facilitators worldwide make
up our partner network
• Authors (co-creators) are industry experts or practitioners who, with their knowledge, develop
content for the creation of new certifications that respond to the needs of the industry
• Internal Staff: Our distributed team with operations in India, Brazil, Colombia, and The United
States is in charge of overcoming obstacles, finding solutions and delivering exceptional results
2
Agile Alliance
https://www.agilealliance.org/organizations/
certiprof/
Credly
CertiProf® is a Credly partner.
3
Badge
https://www.credly.com/org/certiprof/badge/cyber-security-foundation-professional-certificate-
csfpc
Lifelong Learning
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Earning Criteria:
4
Who should attend to this certification?
• Everyone
• End Users
• Managers
CSFPC™
• Duration: 16 hours
• Language: English/Spanish
• Class Formats:
• Instructor-led
• Self-Study
• Prerequisites:
• None — Entry Level
• Applicable Exams:
• Cyber Security Foundation Professional Certificate
Presentation
Company
Job title
Experience
Expectations
5
Course Methodology
Presentation Videos
Examples
Activities
Content
• Module 0: NIST - Cybersecurity for Small Business
• Module 1: CyBOK - Cybersecurity Fundamentals
• Module 2: Risk Management
• Module 3: Law / Regulation
• Module 4: Human Factors
• Module 5: Privacy & Online Rights
• Module 6: Malware & Attack Technologies
• Module 7: Adversarial Behaviour
• Module 8: Security Operations & Incident Management
• Module 9: Certification Exam
6
Learning Objectives
7
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
8
AGENDA
9
Recover 36
Sample Recover Activities 37
Framework 37
Everyday Tips 38
Resources 38
Module 1: CyBOK – Cyber Security Fundamentals 39
Cyber Security Definition 40
CyBOK Knowledge Areas 41
Deploying CyBOK Knowledge To Address Security Issues 43
Functions Within A Security Management System 45
Principles 45
Crosscutting Themes 47
Cyberspace 50
Module 2: Risk Management & Governance 51
Topics Covered in this Lesson 52
What is Risk? 52
Why is risk assessment and management important? 53
What is cyber risk assessment and management? 55
Risk Governance 55
The Human Factor and Risk Communication 56
Security Culture and Awareness 57
Enacting Security Policy 57
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
10
Introductory Principles of Law and Legal Research 68
“To Prove” Something 68
“Standards” of Proofs 69
Applying Law to Cyberspace and Information Technologies 69
Distinguishing Criminal and Civil Law 70
Jurisdiction 70
A Taxonomy of Jurisdiction 71
Prescriptive Jurisdiction 71
Enforcement Jurisdiction 71
The Data Sovereignty Problem 72
Privacy Laws in General and Electronic Interception 72
State Interception (Lawful Access) 73
Non-state Interception 73
Data Protection 74
The “Players” 74
What is regulated? 75
“Personal Data” vs “PII” 75
Data Protection Highlights 76
Computer Crime 76
Crimes Against Information Systems 77
Recurring Challenges 77
Contract 77
11
State Attribution 86
Limiting Operations 86
Ethics 87
Codes of Conduct 87
Vulnerability Testing and Disclosure 88
Legal Risk Management 88
Module 4: Human Factors 89
Introduction 90
Human Factors 90
Security Has to be Usable 90
Fitting the Task to the Human 91
Human Capabilities and Limitations 91
STM and One-time password (OTPs) 92
General Human Capabilities and Limitations 92
CAPTCHA 92
Goals and Tasks 93
Capabilities and Limitations of the Device 93
Human Error 94
Latent Design Conditions 94
Awareness and Education 94
What usability issues do developers face? 96
Developers are not the Enemy! The Need for Usable Security APIs 96
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
12
Metadata Confidentiality 106
Privacy as Control 107
Privacy as Transparency 107
Privacy Technologies 107
Privacy Engineering 108
Privacy Evaluation 109
Conclusions 109
Module 6: Malware & Attack Technologiesv 110
Introduction 111
Malware 111
A Taxonomy of Malware 111
Malware Taxonomy: Dimensions 112
Taxonomy: Examples 112
Potentially Unwanted Programs (PUPs) 113
Malicious Activities by Malware 113
The Cyber Kill Chain 114
The Cyber Kill Chain Model 114
Underground Eco-system 115
Action Objectives 115
Malware Analysis 116
Acquiring Malware Data 116
Static Analysis 116
13
Module 7: Adversarial Behaviour 126
Introduction 127
A Characterization of Adversaries 127
Interpersonal Offenders 128
Cyber-enabled Organized Criminals 128
Cyber-dependent Organized Criminals 128
Hacktivists 129
State Actors 129
The Elements of a Malicious Operation 130
Specialized Services 130
Human Services 131
Payment Methods 131
Models to Understand Malicious Operations 131
Attack Trees : Example of an Attack 132
Cyber Kill Chain 132
Environmental Criminology 133
Attack Attribution 134
Module 8: Security Operations & Incident Management 135
Introduction 136
What is it about? 136
Timeline and Scope 136
Overall MAPE-K loop 137
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
14
Alert Correlation 144
Mitigations and Countermeasures Tools and Techniques 145
Intelligence and Analytics 145
Incident Management Lifecycle 146
Conclusion 146
Module 9: Certification Exam 147
Badge 148
Exam Conditions 148
15
Module 0: NIST -
Cybersecurity for Small
Business
Cybersecurity for Small Business
More
NIST Interagency Report 7621, revision 1
Small Business Information Security: The Fundamentals
Section 1: Background: What is Information Security and Cybersecurity?
https://doi.org/10.6028/NIST.IR.7621r1
17
Cybersecurity Objectives
IALITY More
ENT
NIST Special
ID Publication 800-
CO NF 12, revision 1
INT An Introduction to
EG R
ITY Information
Security section
1.4
B ILITY
VAILA
A
Confidentiality
21
Example:
Criminal steals customers’
usernames, passwords, or
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
18
Integrity
Example:
Someone alters payroll
information or a proposed
product design.
INT
EG R
ITY
Availability
Example:
ILITY
ILAB
AVA
19
Small Business, Big Impact
Why put your already limited resources into preparing for and protecting against
cybersecurity attacks?
20
Cybersecurity Threats
• Phishing Attacks
• Ransomware
• Hacking
• Imposter Scams
• Environmental events
Phishing Attacks
Example:
An email about a delayed shipment causes you to click a link and download malware to your network
Ransomware
• Type of software with malicious intent and a threat to harm your data
• The author or distributor requires a ransom to undo the damage
• No guarantee the ransom payment will work
• Ransom often needs to be paid in cryptocurrency
Example:
WannaCry was one of the most devastating ransomware attacks in history, affecting several hundred
thousand machines and crippling banks, law enforcement agencies, and other infrastructure.
21
Hacking
Example:
Newspaper kiosk’s point-of-sale system was hacked; malware installed. Every customer’s credit card
information was sent to criminals.
Imposter Scams
• Someone “official” calls or emails to report a crisis situation
• They represent the IRS, a bank, the lottery or technical support
• There will be a sense of urgency and a dire penalty or loss if you don’t act
Example:
IRS scams – You receive a phone call claiming to be the IRS, reporting you owe money and need to pay
or else get hit with a fine.
Environmental Threats
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
• Natural threats such as fire, earthquake, flood can cause harm to computers or disrupt business
access
• Recovery efforts attract scams such as financial fraud
• Downtime can lose customers, clients who can’t wait
Example:
Ellicott City flooding wiped out businesses and their computers.
22
Elements of Risk
Impact of an Incident
23
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
To practice cybersecurity risk management, you can start with these steps:
24
1. Identify Your Business Assets
List the types of information, processes, important people and technology your business relies upon.
25
Identify the assets values on the worksheet.
• Pick an asset value scale that works for you Asset Value of the Assets
(e.g., low, medium, high or a numerical range
like 1-5) Patient health
High, due to regulations
information
Processing patient
High
claims to insurance
Receiving payments
from insurance and High
patients
• This impact may differ from the asset value determined in step 2
• Pick an impact value scale that works for you (e.g., low, medium, high)
• Consider if any business processes have manual backup methods
Impact of loss / Damage
Asset Value of the Assets
to the Assets
26
4. Identify Likelihood of Loss or Damage to the Asset
Patient health information High, due to regulations High Hackers, ransomware Medium
27
Risk Matrix
Likelihood
Prioritize
Prioritize Asset
Asset Protection
Protection
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Patient health
High, due to regulations High Hackers, ransomware Medium High
information
3rd party email provider Medium Medium Phising, malware Medium Medium
28
NIST Cybersecurity Framework
More
Framework for Improving Critical Infrastructure Cybersecurity version 1.1
29
Cybersecurity Framework
Functions
Learning Objectives
framework
Function
Identify
Respond
Recover
31
An Excerpt from the Framework Core
Identify
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
32
Sample Identify Activities
Business Asset
Environment Management • Identify critical business processes
[ID.BE] [ID.AM] • Document Information flows
• Establish policies for cybersecurity that
includes roles and responsibilities
• Maintain hardware and software inventory
Risk • Identify contracts with external partners
Governance • Identify Risk Management processes
Assessment
[ID.GV]
[ID.RA]
Protect
33
Sample Protect Activities
Information
Protection
Maintenance
Processes and • Manage access to assets and information
[PR.MA] Procedures • Conduct regular backups
Awareness [PR.IP]
and Training • Protect sensitive data
Identity [PR.AT] • Patch operating systems and applications
Management and Data • Create response and recovery plans
Access Control Security
[PR.IP]
• Protect your network
[PR.DS]
Protective • Train your employees
Technology
[PR.PT]
Detect
34
Sample Detect Activities
Anomalies
and Events
[DE.AE] • Install and update anti-virus and other
malware detection software
• Know what are expected data flows for your
business
• Maintain and monitor logs
Continuous
Monitoring
[DE.CM]
Respond
Develop and implement the appropriate activities
35
Sample Respond Activities
Response
Planning
[RS.RP]
• Coordinate with internal and external
stakeholders
• Ensure response plans are tested
• Ensure response plans are updated
Communications
[RS.CO]
Recover
36
Sample Recover Activities
Recovery
Planning • Manage public relations and company
[RC.RP] reputation
• Communicate with internal and external
stakeholders
• Ensure recovery plans are updated
• Consider cyber insurance
Communications
[RC.CO]
Framework
Information
37
Everyday Tips
• Be careful of email attachments, web links and voice calls from unknown numbers
• Do not click on a link or open an attachment that you were not expecting
• Use separate personal and business computers, mobile devices, and accounts
• Use multi-factor authentication where offered
• Do not download software from an unknown web page
• Never give out your username or password
• Consider using a password management application to store your passwords for you
More
NIST Interagency Report 7621, revision 1
Small Business Information Security:The Fundamentals, section 4
Resources
NIST Small Business Cybersecurity Corner
https://www.nist.gov/itl/smallbusinesscyber
NIST Interagency Report 7621, revision 1 | Small Business Information Security: The Fundamentals
https://doi.org/10.6028/NIST.IR.7621r1
38
Module 1: CyBOK – Cyber
Security Fundamentals
Cyber Security Definition
• Cyber security has become an encompassing term, as our working definition illustrates:
• Definition: Cyber security refers to the protection of information systems (hardware, software
and associated infrastructure), the data on them, and the services they provide, from unauthorized
access, harm or misuse. This includes harm caused intentionally by the operator of the system, or
accidentally, as a result of failing to follow security procedures
• A large contributor to the notion of cyber security is Information Security, widely regarded as
comprised of three main elements:
• Definition: Information security. Preservation of confidentiality, integrity and availability of
information. In addition, other properties, such as authenticity, accountability, non-repudiation,
and reliability can also be involved
40
CyBOK Knowledge Areas
Human Factors
• Usable security, social & behavioral factors impacting security, security culture and awareness as
well as the impact of security controls on user behaviors
Adversarial Behaviors
• The motivations, behaviors, & methods used by attackers, including malware supply chains, attack
vectors, and money transfers
Forensics
• The collection, analysis, & reporting of digital evidence in support of incidents or criminal events
41
Systems Security.
Cryptography
• Core primitives of cryptography as presently practiced & emerging algorithms, techniques for
analysis of these, and the protocols that use them
Software Security
• Known categories of programming errors resulting in security bugs, & techniques for avoiding these
errors—both through coding practice and improved language design—and tools, techniques, and
methods for detection of such errors in existing systems
42
Infrastructure Security.
Network Security
• Security aspects of networking & telecommunication protocols, including the security of routing,
network security elements, and specific cryptographic protocols used for network security
Hardware Security
• Security in the design, implementation, & deployment of general-purpose and specialist hardware,
including trusted computing technologies and sources of randomness
• Cyber security is often expressed in terms of instituting several controls affecting people, process,
and technology
• Some of these will focus on the prevention of bad outcomes, whereas others are better
approached through det
• Security requires an analysis of vulnerabilities within the system under consideration:
• A (hypothetical) system without vulnerabilities would be impervious to all threats; a highly
vulnerable system placed in totally benign circumstances (no threats) would have no security
incidents, either
43
Failures and Incidents.
• When adversaries achieve their goal (wholly or partially)—when attacks succeed—the collection of
security controls may be said to have failed
• A recurrent theme in security analysis is that it is not sufficient to dene good security controls solely
within a particular abstraction or frame of reference: it is necessary also to consider what may
happen if an adversary chooses to ignore that abstraction or frame
• Mathematical theories of refinement (and software development contracts) explore the relationship
of an ‘abstract’ expression of an algorithm and a more ‘concrete’ version which is implemented: but
security properties proven of the one may not be true of the other
• ‘Black-box testing’ relies on the same notion and, since it cannot possibly test every input, may
easily miss the combination of circumstances which — by accident or design — destroys the
security of the program
• These — and an endless array of other — security problems arise because it is necessary to think
(and design systems) using abstractions
Risks.
• There is no limit in principle to the amount of effort or money that might be expended on security
controls
• In order to balance these with the available resources and the harms and opportunities that might
arise from emerging threats to security, a common over-arching approach to security analysis is a
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
44
Functions Within A Security Management System
• The functions within a security management system can be grouped into Physical, Personnel,
Information Systems and Incident Management and are a mixture of standard IT system management
functions and those that are specific to cyber security
• Physical security includes physical protection of the system, including access control, asset
management and the handling and protection of data storage media. These aspects are outside
the scope of the CyBOK
• Personnel security is concerned with a wide range of security usability and behavior shaping,
including education and training (see the Human Factors Knowledge Area
• Information system management includes access management (see the Authentication,
Authorization & Accountability (AAA) Knowledge Area and system logging
• Incident management functions are specific to cyber security and include security monitoring,
incident detection and response
Principles
Saltzer and Schroeder Principles. The eight principles they enumerate are as follows:
1. Economy of mechanism. The design of security controls should remain as simple as possible, to
ensure high assurance
2. Fail-safe defaults. Security controls need to dene and enable operations that can positively be
45
NIST Principles.
• More contemporary principles in systems design are enumerated by NIST. They incorporate and
extend the principles from Saltzer and Schroeder
• They are categorized into three broad families relating to:
• ‘Security Architecture and Design’ (i.e., organization, structure and interfaces)
• ‘Security Capability and Intrinsic Behaviors' (i.e., what the protections are about)
• ‘Life Cycle Security’ (i.e., those related to process and management)
• The key point to note is that we can no longer just consider information loss as a potential
consequence of cyber security breaches — but must also consider safety implications
46
Crosscutting Themes
Security Economics.
• Verification and validation of software systems entails testing — for consistency, uniform/predicted
behavior, and conformance to specifications
• The Bell-LaPadula model provides an abstract model of the rules determining whether a subject
with a certain security clearance should have a particular kind of access to an object with a given
security classification
• The aim of this model is to prevent data declassification; later work generalized this to methods
for preventing certain information flows
• Other access control models have been proposed to achieve other properties, such as integrity (e.g.,
the Biba model, or the Clark-Wilson model)
• Formal methods enable key security properties to be expressed and proven in the formal model
47
Approaches to Formal Modeling. There are two principal approaches to formal modelling:
Computational Modelling:
• This approach is close to the real system:
• It is a formal methodology at a more fundamental mathematical level, where messages are
bitstrings, cryptographic functions are defined as functions on bitstrings, system participants are
generally interactive Turing machines, and security parameters give asymptotic metrics to this
methodology:
• The length of keys, complexity of algorithms or measure of probabilities
• Vary with the security parameter
Symbolic Modelling:
• This approach is more abstract than the computational approach, and has been applied in a variety
of flavors to the modelling and analysis of security protocols
• Sequences of interactions between agents to achieve a security goal such as authentication or
key-exchange
• Logic-based approaches such as the BAN logic
• Language-based approaches such as Applied Pi
• Verification using the computational modelling approaches have been more mathematical in
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
nature, though tools such as CryptoVerif and EasyCrypt have now been developed to support
computational proofs
• The symbolic and computational approaches may be used together:
• An attack in a symbolic model will typically give rise to an attack in the computational model, so
it is valuable to carry out a symbolic analysis of a system first in order to check for and design out
any identified attacks
• Once a symbolic model is verified, then some additional is needed to establish security in the
computational model
• This can either be carried out directly, or through the application of general techniques such as
computational soundness which give conditions for symbolic results to apply to the computational
model
48
Security Architecture and Lifecycle
49
Cyberspace
Cyberspace is best understood as a ‘place’ in which business is conducted, human communications take
place, art is made and enjoyed, relationships are formed and developed, and so on.
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
50
Module 2: Risk Management
& Governance
Topics Covered in this Lesson
• What is risk?
• Why is risk assessment and management important?
• What is cyber risk assessment and management?
• Risk governance
• What is risk governance and why is it essential?
• The human factor and risk communication
• Security culture and awareness
• Enacting Security Policy
What is Risk?
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
• Renn’s working definition of risk is the possibility the human actions or events lead to consequences
that have an impact on what hs value.
• uman
• Grounded in human value, which applies to many different scenarios
• How to define value and capture indicators to measure and manage risk?
52
A key challenge with risk assessment and management is making assumptions explicit and finding the
balance between subjective risk perceptions and objective evidence
• Risk assessment is, therefore, a process of collating observations and perceptions of the world that
can be justified by logical reasoning or comparisons with actual outcomes
• Risk management, on the other hand, is the process of developing and evaluating options to address
the risks in a manner that is agreeable to people whose values may be impacted, bearing in mind
agreement on how to address risk may involve a spectrum of (in)tolerance – from acceptance to
rejection
• Risk Governance is an overarching set of ongoing processes and principles that aims to ensure
an awareness and education of the risks faced when certain actions occur, and to instill a sense of
responsibility and accountability to all involved in managing it
The risk management process involves reviewing the information collected as part of the risk
assessment, and leads to one of (3) three possible decisions:
1. Intolerable: The aspect of the system at risk needs to be abandoned or replaced, or if not possible,
vulnerabilities need to be reduced and exposure limited.
2. Tolerable: Risks have been reduced with reasonable and appropriate methods to a level as low as
reasonably possible (ALARP) or as low as reasonably allowable (ALARA).
A range of choices may include mitigating, sharing, or transferring risk, selection of which will depend
on the risk managers’ (and more general company) appetite for taking risks.
3. Acceptable: Risk reduction is not necessary and can proceed without intervention. Furthermore,
risk can also be used to pursue opportunities (also known as ‘upside risk’), thus the outcome may be
to accept and embrace the risk rather than reduce it
53
Beyond this decision framework, Renn defines four types of risk that require different risk management
plans. These include:
1. Routine risks: These follow a normal decision-making process for management. Statistics and
relevant data are provided, desirable outcomes and limits of acceptability are defined, and risk
reduction measures are implemented and enforced
2. Complex risks: Where risks are less clear cut, there may be a need to include a broader of evidence
and consider a comparative approach such as cost-benefit analysis or cost-effectiveness. Scientific
dissent such as drug treatment effects or climate change are examples of this
3. Uncertain risks: A precautionary approach should be taken with a continual and managed approach
to system development whereby negative side effects can be contained and rolled-back. Resilience
to uncertain outcomes is key here
4. Ambiguous risks: Where broader stakeholders, such as operational staff or civil society, interpret
risk differently (e.g., different viewpoints exist or lack of agreement on management controls), risk
management needs to address the causes for the differing views
ambiguities).
• Without effective consideration of the acceptability of risk and an appropriate risk reduction plan,
it is likely that the response to adverse outcomes will be disorganized, ineffective, and likely lead to
further spreading of undesirable outcomes
• The purpose of risk assessment and management is to communicate these values and ensure
decisions are taken to minimize the risks to an agreed set of values by managing them appropriately
while maximizing ‘buy in’ to the risk management process
• Risk assessment and management is also about presenting information in a transparent,
understandable, and easily interpreted way to different audiences, so that accountable stakeholders
are aware of the risks, how they are being managed, who is responsible for managing them, and are
in agreement on what is the acceptable limit of risk exposure
54
One of the major drivers for risk assessment and management is to demonstrate compliance.
This can be a result of the need:
• To have audited compliance approval from international standards bodies in order to gain commercial
contracts;
• To comply with legal or regulatory demands
• To improve the marketability of a company through perceived improvements in public trust if
certification is obtained
Risk Governance
Risk assessment and developing mitigation principles to manage risk are only likely to be
1. Technocratic: Where policy is directly informed by science and evidence from domain
expertise
2. Decisionistic: Where risk evaluation and policy are developed using inputs beyond science
alone. For instance, incorporating social and economic drivers
3. Transparent (inclusive): Where the context for risk assessment is considered from the outset
with input from science, politics, economics, and civil society. This develops a model of ‘pre-
assessment’ – that includes the views of wider stakeholders – that shapes risk assessment
and subsequent management policy
55
Four (4) elements influence the perception of risk:
This highlights that risk cannot be mitigated with technology alone, and that concern assessment is
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
•
important
• Educating people within an organization is vital to ensuring cultural adoption of the principles
defined in the risk management plan and associated security governance policy.
• People fail to follow the required security behavior for one of two reasons (Sasse and Flechais):
Weirich and Sasse studied compliance with password rules as an example of compliance with security policy and found
that a lack of compliance was associated with people not believing that they were personally at risk and or that they
would be held accountable for failure to follow security rules.
56
Risk communication, therefore, plays an important role in governance including aspects, such as:
Some questions that may be considered useful pointers for improving security culture:
57
Part of the final risk assessment and management outcomes should be a list of accepted risks with
associated owners who have oversight for the organizational goals and assets underpinning the
processes at risk.
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Figure 2.1: Risk Governance Framework from IRGC - taken from [66]
Human factors and security culture are fundamental to the enactment of the security policy.
People must be enabled to operate in a secure way and not be the subject of a blame culture when things
fail. It is highly likely that there will be security breaches, but the majority of these will not be intentional.
Therefore, the security policy must be reflective and reactive to issues, responding to the Just Culture
agenda and creating a policy of accountability for learning, and using mistakes to refine the security
policy and underpinning processes – not blame and penalize people.
Security education should be a formal part of all employees’ continual professional development.
Principles of risk communication are an important aspect of the human factor in security education.
Frequent communication, tailoring the message to the audience, pretesting the message, and considering
existing risk perceptions that should be part of the planning around security education.
58
Risk Assessment and Management Principles
1. Component-driven risk management, which focuses on technical components, and the threats and
vulnerabilities they face
2. System-driven risk management, which analyses systems as a whole
There are four concepts that are core to a risk assessment in most models.
1. Vulnerability: A Vulnerability is something open to attack or misuse that could lead to an undesirable
outcome
2. Threat: A Threat is an individual, event, or action that has the capability to exploit a vulnerability.
Threats are also socio-technical and could include hackers, disgruntled or poorly trained employees,
poorly designed software, a poorly articulated or understood operational process etc
3. Likelihood: Likelihood represents a measure capturing the degree of possibility that a threat will
exploit a vulnerability, and therefore produce an undesirable outcome affecting the values at the
core of the system
4. Impact: Impact is the result of a threat exploiting a vulnerability, which has a negative effect on the
success of the objectives for which we are assessing the risk
59
Risk Assessment and Management Methods
The US Government NIST guidelines capture the vulnerability, threats, likelihood, and impact elements
inside the prepare (pre-assessment), conduct (appraisal and characterize), communicate (cross-
cutting), and maintain (management) cycle.
Prepare involves identifying the purpose (e.g., establishing a baseline of risk or identifying vulnerabilities,
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
threats, likelihood and impact) and scope (e.g., what parts of a system/organization are to be included in
the risk assessment?; what decisions are the results informing?).
Conduct is the phase where threats, vulnerabilities, likelihood, and impact are identified. There is a
range of ways that this can be conducted, and this will vary depending on the nature of the system
being risk assessed and the results of the prepare stage.
Communicate is one of the most important phases, and one often overlooked. Conducting the risk
assessment gives one the data to be able to inform actions that will improve the security of the system.
Maintain is an ongoing phase that is essential to continually update the risk assessment in the light of
changes to the system environment and configuration.
60
Component-driven Cyber Risk Management Frameworks
• ISO/IEC 27005:2018
• NIST SP800-30/39
• The Information Security Forum (ISF)
• FAIR
• Octave Allegro
• STRIDE
• Attack trees
• Systems-Theoretic Accident Model and Process (STAMP) is an ensemble of methods used for
modelling causation of accidents and hazards, developed at MIT
• The Open Group Architectural Framework (TOGAF) is an enterprise architecture standard that
supports component-driven and system-driven approaches to manage risk
• Dependency Modelling. The Open Group also developed the Open Dependency Modelling (O-
DM) Framework for Goal-oriented risk modelling in a top-down method
• SABSA is another architecture-based approach. It includes four phases
61
Risk Assessment and Management In Cyber-physical Systems and Operational
Technology
• While traditional IT security (e.g., computers, devices, and servers) may generally take a risk
assessment perspective focused on minimizing access (confidentiality), modification (integrity), and
downtime (availability) within components and systems, the world of cyber-physical systems and
Operational Technology (OT) typically has a greater focus on safety.
• Technology such as Supervisory Control and Data Acquisition (SCADA) provides capability to
continually monitor and control OT but must be suitably designed to prevent risks from IT impacting
OT
Security Metrics
• It is often difficult to quantify – with confidence – how secure an organization is or could be
• Qualitative representations such as low, medium, high or red, amber, green are typically used in
the absence of trusted quantitative data, but there is often a concern that such values are subjective
and mean different things to different stakeholders
Bad metrics:
• Are inconsistently measured, usually because they rely on subjective judgments that vary from
person to person
• Cannot be gathered cheaply, as is typical of labor-intensive surveys and one-off spreadsheets
• Do not express results with cardinal numbers and units of measure. Instead, they rely on qualitative
high/medium/low ratings, traffic lights, and letter grades
62
Business Continuity
• An essential part of the risk assessment, management and governance process includes
consideration and planning of the process of managing incidents and rapidly responding to cyber
attacks
• The aim is to understand the impact on the system and minimize it, develop and implement a
remediation plan, and use this understanding to improve defenses to better protect against
successful exploitation of vulnerabilities in future (feedback loop)
• Organizations typically prefer to keep information about cyber security breaches anonymous to
prevent reputational damage and cover up lapses in security
• However, it is likely that other organizations, could benefit from prior knowledge of the incident
that occurred
• Certain industries such as the financial and pharmaceutical sectors have arrangements for sharing
such intelligence
ISO/IEC 27035-1:2016
63
NCSC- ISO/IEC 27035
The NCSC also provides ten (10)steps to help guide the incident management process which, broadly
speaking, relate to the Plan, Detect, Assess, Respond and Learn phases of ISO/IEC 27035. In summary,
the steps include:
Conclusion
• Working definition of the possibility that human actions or events may lead to consequences that have
an impact on what humans' value and placed this in the context of cyber risk management and
governance
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
• Risk governance is the overarching set of ongoing processes and principles that underpin collective
decision-making and encompasses both risk assessment and management, including consideration
of the legal, social, organizational, and economic contexts in which risk is evaluated
• A major aspect of risk is human perception and tolerance of risk and we have framed these in the extant
literature to argue their significance in risk governance aligned with varying types of risk – routine,
complex, uncertain, and ambiguous
• Risk governance is a cyclical and iterative process, and not something that can be performed once
• The crosscutting aspects of communication, stakeholder engagement and context bind the risk
assessment and management processes and are core to the continual reflection and review of risk
governance practices
• Incidents, when they occur, must inform risk management policy to improve cyber security in the future
– and we must accept that we will likely never be completely secure
• Instilling continual professional development through education and Just Culture where lessons can
be learned, and governance methods improved
64
Regulation
Module 3: Law and
65
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Introduction
Challenges
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
66
Response
Out of Scope
Examples:
• Rules of evidence
• Rules of civil procedure
• Rules of criminal procedure
• Criminal content laws
67
Introductory Principles of Law and Legal Research
Basic Principles
Mathematics Law
• Establish, as a logical necessity, undeniability • Using permissible evidence, persuade a
• Establish a truth beyond dispute tribunal of the correctness of a disputed issue
• Some uncertainty is inevitable
68
“Standards” of Proofs
• The first school posited that cyberspace is so radically different from anything in human experience,
that old laws were unsuitable and should be widely inapplicable to actions taken using this new
domain
• The second school held instead that the Internet is, like so many tools developed in human history,
merely an instrument of human action. As such, laws could–and perhaps should–continue to be
applied to persons who use cyberspace in most respects just as they applied before it existed
69
Distinguishing Criminal and Civil Law
• Criminal law
Criminal law is the body of law that prohibits behavior generally abhorred by society.
Terms such as ’guilty’ and ’innocent’ are normally reserved as descriptions of verdicts (outcomes) in a
criminal case.
• Civil (non-criminal) law
Civil law is the area of law that regulates private relationships among and between persons. Examples
include the laws of contract and negligence.
• One Act: Two types of liability & two courts
A single act or series of connected acts can create liability simultaneously under both criminal and civil
law.
Jurisdiction
Multinational Environment
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
70
A Taxonomy of Jurisdiction
Prescriptive Jurisdiction
• Extraterritorial
• Lawmakers routinely adopt laws that apply to people and activities outside the territory of their
state
Enforcement Jurisdiction
71
The Data Sovereignty Problem
Privacy Basics
72
State Interception (Lawful Access)
73
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
74
The “Players”
Data Protection
75
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Data Protection Highlights
Computer Crime
76
Crimes Against Information Systems
Recurring Challenges
The enforcement of and penalties for crimes against information systems
• Lack of universality
• Extradition
• De minimis exceptions and measuring harm
• Warranted state interception
• Research and development by non-state persons
• Uninvited remote technical analysis
• Covert threat analysis
Self-help
Contract
77
Contract as Means to Encourage Security Behaviours
Limits of Influence
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
78
Relative Influence of Contract Over Security Behaviours
In the event of a breach of contract, various remedies provided by courts to non-breaching parties
typically fall into the following categories:
• Damages
• Recision
• Declare that the contract is at an end and excuse the non-breaching party from further
performance
• Specific performance
• Contractually mandated remedies
79
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Tort
80
Tort Examples
Negligence (Fault Based Liability)
81
Quantum of Loss (QQ)
82
Intellectual Property
The complexity of intellectual property law prompted a nineteenth-century US jurist to comment that
this subject is closest to ’the metaphysics of law’.
• Negative rights
• Each IP right is a type of “red card” that says stop doing a defined action.
• Owning IP does not guarantee freedom to act
• Short catalogue
• Copyright
• Patents
• Trademarks
• Trade secrets
Reverse Engineering
83
Internet Intermediaries Shields from Liability and Take-down Procedures
• Basics
• Shields a qualifying person who would otherwise be liable for offending message content
• Originally designed to shield ISPs and telcos
• Increasingly contentious (e.g., US FOSTA-SESTA)
• Ongoing debate re social media and search platforms
• Take-down / blocking
• As a condition of shield protection, some qualifying persons are required to take down offending
content “expeditiously” after notice from complaining person
• Others not subject to take-down notice may be ordered by state (judiciary or executive) to block
or filter traffic
84
Legal Challenges Emerge
85
Public International Law
State Attribution
• Legal standard (substance)
• Act by a state agent
• State encourages or directs act by a non-agent
• Failure to exercise “due diligence”
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Limiting Operations
• Prohibitions
• Violation of sovereignty
• Use of force
• Armed attack
• Counter-measures
• Must be proportional
• Cyber or non-cyber
• Law of armed conflict
• Military necessity
• Humanity
• Distinction
• Proportionality
86
Ethics
Codes of Conduct
87
Vulnerability Testing and Disclosure
88
Module 4: Human Factors
89
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Introduction
• Usable security
• Fitting the task to the human
• Human error
• Cyber security awareness and education
• Positive Security
• Stakeholder engagement
Human Factors
• Less that 0.1 °/o of email is end-to-end encrypted!
• Users are not the Enemy!
• A. Whitten and J. D. Tygar, "Why johnny can't encrypt: A usability evaluation of pgp 5.0." in USENIX
Security Symposium, vol. 348, 1999.
• A. Adams and M. A. Sasse, "Users are not the enemy," Communications of the ACM, vol. 42, no. 12,
pp. 40-46, 1999.
90
Fitting the Task to the Human
Key elements :
There are general capabilities and limitations– physical and mental– that apply to most humans.
• With general computing devices today, the physical capability that can be exceeded by security
tasks is most likely the ability to detect signals: many security systems provide status messages,
reminders, or warnings
• Humans can only focus their attention primarily on one task at any one time
VS.
Compliance Fatigue
91
STM and One-time password (OTPs)
The use of one-time PINs or passwords (OTPs) in security has increased as Two Factor Authentication
(2FA) has become more common.
We focus our attention on the number displayed and repeat it to ourselves (mentally or aloud).
One important security criterion for knowledge-based authentication is that a credential should be
difficult to guess. Due to human physical and mental characteristics, the selection of credentials is,
however, often biased towards the familiar, or those that can be more easily distinguished from others.
1. With passwords, people try to pick ones that are easier to recall, e.g., those that have meaning for
them such as memorable names or dates.
2. When users have to choose images as credentials, they prefer strong colors and shapes over more
diffuse ones.
3. When these are pictures of humans, they will pick pictures of 'more attractive' people and those
from their own ethnic backgrounds.
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
4. When the credential is a particular location within a picture, people prefer features that stand out.
5. With location-based systems, people pick memorable locations, for example, when choosing
locations for a 4-digit PIN on a 5 x 5 number grid, they go for connected locations, anchored on an
edge or corner of the grid
6. The order of the elements of a credential is predictable because there is a strong cultural preference,
e.g., people who speak languages that read left-to-right will choose that order.
7. With finger swipe passwords on Android phones, people pick from a very limited number of shapes
CAPTCHA
Some work on Completely Automated Public Turing test to tell Computers and Humans Aparts (CAPTCHAs)
has investigated supporting users with sensory impairments, e.g.
However, one needs to bear in mind that CAPTCHAs add more effort for the legitimate user, impeding
the achievement Of the intended goal, i.e., access. The usability limitations of these mechanisms that
aim to 'verify' legitimate human users — and their contribution to security fatigue — must be considered.
92
Goals and Tasks
The usability of security mechanisms can be affected by the following physical characteristics:
1. Light: In bright light, displays can be hard to see, which can affect graphical authentication in
particular. Biometric systems such as iris and face recognition rely on input from cameras. Bright
light can lead to glare, which means the images captured are not good enough to process.
2. Noise: Will most obviously interfere with the performance of voice recognition systems. But high
levels of noise also impact human performance in general due to increased stress and, in turn,
increased likelihood of error. Unexpected loud noises trigger a human startle response, which
diverts attention away from the task.
3. Ambient: Temperature can affect the performance of both technology and humans. Fingerprint
sensors can stop working when it is cold, and humans are slower at pointing and selecting. They may
also need to wear protective clothing such as gloves that make physical operations of touchscreens
impossible or difficult. Similarly, too hot an environment can lead to discomfort and sweat can
interfere with sensors.
4. Pollution: Can impact equipment operated outdoors. This is a particularly concern for fingerprint
sensors and touchscreens. The lipids left behind combine with the particles and the resulting dark
grease can clog sensors or leave a clearly visible pattern on the touchscreen.
Entering long and complex passwords on soft keyboards on a mobile phone takes far longer and is more
error-prone than on a regular keyboard. And while with frequent use of a keyboard, most people can
become quite proficient at entering a complex password, performance does not improve when humans
hit a basic limitation.
What is particularly worrying from a security point of view is that (without colluding) a user population
starts to converge on a small number of passwords that are easiest to enter with the minimum amount
of toggles, which makes guessing a valid password easier for attackers.
93
Human Error
Four types of latent failures that are more likely to cause people to make errors.
1. Individual factors include fatigue, but also inexperience, and a risk-taking attitude.
2. Human Factors include the limitations of memory but also common habits and widely shared
assumptions.
3. Task factors include time pressure, high workload, and multiple tasks, but monotony and boredom
are equally error-inducing because people shift their attention to diversions. Uncertainty about
roles, responsibilities, and rules also leads to incorrect choices.
4. Work environment factors include interruptions to tasks and poor equipment and information.
People are also particularly prone to error when rules and procedures change.
Security Awareness. The purpose of security awareness is to catch people's attention and convince them
security is worth the engagement.
Security education.
Security Training. Training helps people to acquire skills, e.g., how to use a particular security mechanism
correctly, and how to recognize and respond to a social engineering attack.
94
Simulations and games are increasingly being used, both to make security awareness more attractive, and to
help with more complex educational measures and behavioral change.
Anti-phishing simulations designed to teach employees not to click on suspicious links are probably the most
widely used in organizations today.
https:// behaviormodel.org
95
What usability issues do developers face?
N. Patnaik, J. Hallet and A. Rashid, “Usability smell: an analysis of developers’ struggle with crypto libraries”, in
Fifteenth Symposium on Usable Privacy and Security (SOUPS), Santa Clara, USA, USENIX Association, 2019.
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Developers are not the Enemy! The Need for Usable Security APIs
Principies for Usability of Crypto APls
• Abstract: lntegrate cryptographic functionality into standard APls so regular developers do not
have to interact with cryptographic APls in the first place
• Powerful: Sufficiently powerful to satisfy both security and non-security requirements
• Comprehensible: Easy to learn, even without cryptographic expertise
• Ergonomic: Don't break the developer's paradigm. lntuitive: Easy to use, even without documentation
• Failing: Hard to misuse. Incorrect use should lead to visible errors
• Safe: Defaults should be safe and never ambiguous
• Testable: Testing mode. lf developers need to run tests they can reduce the security for convenience
• Readable: Easy to read and maintain code that uses it/Updatability
• Explained: Assist with/handle end-user interaction, and provide error messages where possible
Matthew Green and Matthew Smith IEEE Security & Privacy 14(5), Sept.-Oct. 2016.
96
Usability Smells: An Analysis of Developers’ Struggle With Crypto Libraries
97
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
98
Rights
Module 5: Privacy & Online
Introduction
• The goal of this knowledge area is to introduce system designers to the concepts and technologies
that are used to engineer systems that inherently protect users’ privacy
• Privacy is recognized as a fundamental human right
• “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence,
nor to attacks upon his honor and reputation”
Overview
• Privacy as Confidentiality
• Data Confidentiality
• Metadata Confidentiality
• Privacy as Control
• Support for privacy settings configuration
• Support for privacy policy negotiation
• Support for privacy policy interpretability
• Privacy as Transparency
• Feedback-based transparency
• Audit-based transparency
• Privacy Technologies and Democratic Values
• Privacy technologies as support for democratic political systems
Privacy as Confidentiality
In a technical re-interpretation of the ‘right to be let alone’ privacy definition, a common conceptualization
of privacy is to avoid making personal information accessible to any entity, in particular to a wider public.
Under this definition, the objective of privacy technologies is to enable the use of services while
minimizing the amount of exposed information. Here, information refers to both data exchanged
explicitly with the service, as well as information made implicitly available in the Metadata associated
with these exchanges (e.g., the identity of the users or frequency of usage).
99
What is the problem?
• Data Sharing
• Filling out a Health questionnaire at the doctor’s office
• Revealing the location and time of your awesome house party to your close friends
• Contextual: the same information in another setting may be privacy leak
• Likely aware of the extent and parties involved
• Data Collection
• As a consequence of activity or interaction
• Browsing at a coffee shop
• MAC address recorded for profile
building on store visits
• DNS information about website visits
• Paid for coffee or snacks (name and
financial information)
• Likely unaware or uninformed about extent or
parties involved
What is privacy?
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
• About People
• Identifying information leading to a natural person
• Linking people to their
• beliefs,
• circumstances,
• associations,
• behaviours,
• and more
100
Defining Privacy
• More articulations:
• “Information self-determination”
• “the right to be let alone”
• “the freedom from unreasonable constraints on the construction of one’s own identity”
Privacy as…
• Transparency
• Control
• Confidentiality
Privacy as Transparency
• Inform
• what is collected and
• Privacy policies
• Transparency reports
Privacy as Control
• Control
• If data can be used/shared
• What kind of access is granted
• What kind of processing can be done
• Consent forms
101
Limits of Control and Transparency
Privacy as Confidentiality
• Hiding your information
• Encryption
• Secret key needed
• Obfuscation
• No cryptographic secrets
• Know where to look and how to undo the obfuscation
• Meta-data
• Timing, message lengths, IP addresses
• Device/application fingerprints
• Two variants
• Local: noise is added before it is added to the database.
• Global: noise is added to the answer of the query and there is a DB request handler that mediates
between the query requestor and the database
• Contrast the case where the database is sanitized and then published publicly, as before
102
Privacy as Confidentiality
Data Confidentiality
• Cryptography-based access control
• Protecting data in transit
• Protection of data during processing
• Verification in the encrypted domain
• Private computation-input verification
• Private authentication
• Private payments
• Obfuscation-based inference control
• Anonymization
• Generalization
• Suppression
• Perturbation
• We would like to keep our data private (not shared) but also use it to do useful computations in
collaboration with others
103
• Obfuscation-based inference control
Anonymization:
A common technique used to permit data processing without risk for individuals is data anonymization.
Anonymisation, as its name indicates, seeks to decouple identity from information
104
• Obfuscation-based inference control
Dummyaddition:
This technique consists in adding fake data points, so-called dummies, to the data made available to the
adversary in order to hide which are the real samples.
The idea is that, as the adversary considers fake points when running the attack, her inference will have
errors.
105
Metadata Confidentiality
There are three types of metadata that have been demonstrated to be extremely vulnerable to privacy
attacks: traffic metadata, associated to the communication infrastructure; device metadata, associated
with the platform generating the data, and location metadata, associated with the physical location
from which data is generated.
Traffic Metadata.
Network-layer information, such as the identities of the participants in the communication (IP
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
addresses), the amount and timing of the data transferred, or the duration of the connection, is
accessible to observers even if communications are encrypted or obfuscated. This information,
commonly known as traffic data, can be exploited to deduce potentially sensitive private information
about the communication.
Device Metadata.
In today’s optimized Internet services, the concrete characteristics of users’ devices are frequently
sent along with their data requests in order to optimize the service providers’ responses. Even if users
are anonymous on the network layer, these characteristics may become a quasi-identifier that enables
service providers to track users across the web.
Location metadata.
Finally, a user’s geographical location revealed to online services can be used to infer sensitive
information. This information can be revealed explicitly, for example, when the user makes queries to
location-based services to find nearby points of interest or friends; or implicitly, for example, when GPS
coordinates are associated with photos or content published on social networks, or inferred from the
access point used to access the Internet.
106
Privacy as Control
Privacy as Transparency
As opposed to technologies that limit data disclosure or the use of disclosed data, transparency
Feedback-based transparency.
Audit-based transparency.
Privacy Technologies
Privacy protection is crucial for underpinning the values that support our democratic societies.
Two examples that highlight the importance of privacy technologies in supporting democracy
107
Privacy Engineering
The growing privacy concerns in society have made the concept of ‘privacy by design’ very popular
among policy makers.
This concept advocates for the design and development of systems that integrate privacy values to
address users’ concerns.
The two primary goals when designing privacy-preserving systems are to:
• Minimize trust
• Minimize risk
To minimize both trust and risk, privacy experts typically design systems in accordance with the
following strategies:
• Minimise Collection: Whenever possible, limit the capture and storage of data in the system
• Minimise Disclosure: Whenever possible, constrain the flow of information to parties other
than the entity to whom the data relates. This refers both to direct flows between senders and
receivers and to indirect flows, e.g., use of control techniques to limit the information available
when publishing or querying a dataset
• Minimize Replication: Whenever possible, limit the number of entities where data are stored or
processed in the clear
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
• Minimize Centralization: Whenever possible, avoid a single point of failure regarding the privacy
properties in the system
• Minimize Linkability: Whenever possible, limit the capability of the adversary to link data
• Minimize Retention: Whenever possible, limit the amount of time information is stored
108
• Use privacy-preserving cryptographic protocols:
Process data locally to obtain inputs to a protocol in which, by interacting with the untrusted
entities using one of the protocols introduced in the previous sections, the user can obtain or prove
information while limiting the information made available to those entities.
• Obfuscate the data:
Use techniques to control inference to process the data locally and only send the perturbed version
to the untrusted entity.
• Anonymize the data:
Process the data locally to remove identifiable information and send it to the untrusted party via an
anonymous channel.
Privacy Evaluation
This evaluation has the goal of quantifying the level of privacy that the technology, and respectively the
system, can provide.
For privacy technologies based on cryptographic primitives, the privacy evaluation typically covers the
cryptographic proofs that ensure that only the intended information is leaked by the operations.
On the contrary, for privacy techniques based on obfuscation, it is necessary to carry out an analysis to
validate that the combination of techniques provides the desired level of privacy.
Protecting privacy is not limited to guaranteeing the confidentiality of information. It also requires
means to help users understand the extent to which their information is available online, and mechanisms
to enable users to exercise control over this information.
Preserving privacy and online rights is not only important for individuals, it is essential to support
democratic societies.
The deployment of privacy technologies is key to allow users free access to content, and freedom of
speech.
109
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
110
Technologies
Module 6: Malware & Attack
Introduction
• A taxonomy of Malware
• Malicious Activities by Malware
• Malware Analysis
• Analysis Environments
• Identifying the Analysis Environments
• Anti-Analysis and Evasion Techniques
• Malware Detection
• Malware Response
Malware
Malware is short for ‘malicious software, that is,
any program that performs malicious activities.
We use the terms malware and malicious code
interchangeably.
111
Malware Taxonomy: Dimensions
• (4) Auto-Spreading?
• Does it spread automatically, or does the Email
infection happen through user actions?
(e.g., emails)
• (5) Dynamically Updates?
• Static (one-time) vs dynamically updated
• (6) Coordinated?
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Taxonomy: Examples
112
Potentially Unwanted Programs (PUPs)
A potentially unwanted program (PUP) is typically a piece of code that is part of a useful program
downloaded by a user.
For example, when a user downloads the free version of a mobile game app, it may include adware, a
form of PUP that displays ad banners on the game window.
Often, the adware also collects user data (such as geo-location, time spent on the game, friends, etc.)
without the user’s knowledge and consent, in order to serve more targeted ads to the user to improve
the effectiveness of the advertising.
PUPs are in a grey area because, while the download agreement often contains information on these
questionable behaviors, most users tend not to read the finer details and thus fail to understand exactly
what they are downloading.
Confidentiality: It can steal valuable data, e.g., user’s authentication information, and financial and
health data.
Integrity: It can inject falsified information (e.g., send spam and phish emails, create fraudulent clicks,
etc.) or modify data.
Availability: It can send traffic as part of a distributed denial-of-service (DDoS) attack, use up a large
amount of computing resources (e.g., to mine cryptocurrencies), or encrypt valuable data and demand
a ransom payment.
113
The Cyber Kill Chain
Action on objectives
114
Underground Eco-system
• Organized Cyber-crime
• Support full malware lifecycle
• Development
• Deployment
• Operations
• Monetization
• Specialized roles
• Plausible deniability
• More effective malware
Action Objectives
• Toolkits
• Easy-to-use automated tools (e.g., keyloggers)
Campaigns
115
Malware Analysis
Benefits include:
• Understand intended malicious activities
• Useful to attribution
• Understand and predict trends/scope of
malware attacks
• E.g., researchers
• Threat Intelligence Exchange
• Legal/Ethical Responsibilities
• Avoid damage
• Share responsibly
Static Analysis
• Examine malware code without executing it Program Analysis
• Binary code
• Intermediate code (e.g., bytecode)
• Source code
• Pros
• Better coverage of behaviors
• Safe
• Limitations
• Overestimates behaviors
• Weak to obfuscation
116
• Monitors runtime behavior of malware
execution to identify malicious behaviors
• Typically, from a stack layer lower than the
malware itself
• Pros
• You see actual behavior
• (Relatively) language-independent
• Limitations
• Underestimates behavior (coverage,
triggers)
• Safety and Live-Environment
117
Analysis Environments
Internet?
• Dedicated environment for Dynamic Analysis
Live C&C?
• Results/Cost Trade-Off.
• Cost
• Analysis Time
• Manual Human Effort
• Other aspects:
• Safety
• Live-environment
Common Environments
• Machine Emulator
• Code-based architecture emulation
• Type 2 Hypervisor
Ease of Use
• Runs in host OS, provides v service for hardware
• Type 1 Hypervisor
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
118
Safety and Live-Environments
• Safety Internet?
Live C&C?
• The malware may do malicious actions. Can
we allow it?
• Also legal implications
• Virtualized network environments
• Live-environment
• Does the malware exhibit intended
malicious behaviors?
• Network connectivity
• Real users on the machine
• C&C/update servers online
119
Malware Detection
The process of locating a malicious program residing within a host involves identifying clues that are indicative
of the malware’s presence on a computer system. We call these clues ‘indicators of compromise’, and they are
the ‘features’ or ‘artifacts’ of malware.
120
Detection of Malware Attacks
• Network-based monitoring
• Network events
• Domain names
Prevent infection
• Temporal activities or detect it
during execution
• Host-based monitoring
• File system
• Processes Example: Ransomware
• System Calls Anomalous encryption
operations
For ransomware detection, the main approaches include monitoring host activities involved in
encryption. If there is a process of making a large number of significant modifications to a large number
of files, this is indicative of a ransomware attack [82]. The ‘significant’ modifications reflect the fact that
encrypting a file will result in its contents changing drastically from its original contents.
Bots of the same botnet are controlled by the same attacker and perform coordinated malicious
activities.
• Machine Learning
• Static and Dynamic Features
• Build Models from Data
• Distinguish Benign from Malicious Objects
121
ML-based Malware Detection
• ML Limitations:
• Challenging Feature Engineering
• Adversarial attacks
• Costly labeling for malware Deep Learning: poor
explainability
• Mimicry Attack
• Evasion
• Robust optimization
• Recreate normal behavior (e.g., sequence • Forget learning of old
of system calls) samples (against
• Polymorphic blending attack of network
poisoning)
traffic
• Targeted noise injection
• Poisoning: “garbage in, garbage out”
122
Concept Drift
• Solutions:
• Active Learning
• Online Learning
Malware Response
• Remove the malware and recover the data and services from secure backups
• Update corresponding Firewall and Network intrusion detection system rules, to prevent and
detect future attacks.
• Attempt to take down malware command-and-control (C&C) infrastructure
123
Disrupt Malware Operations
Attribution
• Law Enforcement wants to identify actual
malicious actors
124
• Identify malware authors
• Identifying the virtual attacker is an important first step toward this goal. An attacker may
have consistent coding styles, reuse the same resources or infrastructures, or use similar C&C
practices
Authors can also evade attribution by intentionally planting ‘false flags’ in malware.
Domain registration information, WHOIS, is a strong signal for attack attribution. The same attacker
often uses a fake name, address, and company information following a pattern.
Malware interrogation helps recover more C&C domains used by the fallback mechanism, which offers
Conclusion
• Attackers use malware to carry out malicious activities on their behalf
• Different layers of system stack
• Possibly support infrastructure
• Botnets
• Wants to avoid detection and attribution
• Detecting analysis environment
• Obfuscation
125
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
126
Behaviour
Module 7: Adversarial
Introduction
The Internet has created multiple opportunities for adversaries to cause harm.
A Characterization of Adversaries
Our characterization is based on the motivation of offenders and is driven by case studies analyzed by
researchers over the past years.
Cyber-enabled crimes
Crimes that existed before the Internet, but that were increased in reach and scale by it (e.g., fraud).
127
Interpersonal Offenders
Cyberbullying - Sending or posting harmful material or engaging in other forms of social aggression
using the Internet or other digital technologies.
Doxing - An attack where the victim's private information is publicly released online.
Sextortion - Luring victims to perform sexual acts in front of a camera and threatening to release it
unless a ransom is paid.
Child predation - Criminals find their victims through chat rooms, social media, or online gaming
platforms.
Advance fee fraud — The victim is promised a reward (financial or otherwise), but in order to obtain it
has to first pay a small fee to the fraudster. After the payment takes place, the victim often does not hear
from the scammer again. Losses can amount to 240k USD.
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Drug dealing — Thanks to anonymizing technologies such as Tor and cryptocurrencies, online
marketplaces have emerged where drug users can purchase illicit substances and have them delivered
directly to their homes.
Email spam — Unsolicited bulk email has been at the forefront of very successful criminal operations,
who have managed to monetize the sale of counterfeit goods and pharmaceuticals by reaching billions
of potential customers through malicious messages.
Phishing. A particular type of spam is phishing, where criminals send emails that pretend to be from
genuine services (e.g., online banking, social network websites)
Financial malware — Criminals aim to install malware on their victims' computers and steal financial
credentials such as credit card numbers and online banking usernames and passwords.
Click fraud. Web advertisements are the main way the Web is monetized.
128
Unauthorized cryptocurrency mining. With the increasing popularity of cryptocurrencies, a new
opportunity has opened up for criminals: using infected computers to mine currency.
Ransomware. The newest trend in malware is Ransomware. As part of this operation, criminals infect
their victim systems with malware which encrypts the user’s personal files (e.g., documents) and sends
the encryption key to the criminal, who then asks for a ransom in exchange for giving the user access to
their data again.
Denial of service. A feature that all Internet-connected devices have is network connectivity. A criminal
can leverage the bandwidth of an infected device to perform a Distributed Denial of Service (DDoS)
attack against a target.
Hacktivists
We define the act of computer crime motivated by a political goal as hacktivism.
Denial of service — Launching denial of service attacks against organizations that go against certain
political views (e.g., Anonymous)
Data leaks — E release of stolen documents into the public domain, for example, to raise awareness
about secret surveillance programs by governments
State Actors
In the past few years, we have observed an escalation in the use of computer attacks by state actors to
achieve their goals.
Sabotage — Attacks (e.g., malware) are launched to sabotage the critical infrastructure of a country.
Espionage — Sophisticated malware is used to infiltrate organizations and steal sensitive data.
Disinformation. In the past two years, evidence has emerged that state-sponsored actors have been
involved in spreading disinformation on social media. This has been done through troll accounts that
acted to polarize online discussion on sensitive topics.
129
The Elements of a Malicious Operation
To ensure that the criminals' needs are met in this scenario, in recent years we have witnessed a
specialization in the cybercriminal ecosystem, where different actors specialize in a specific elements
required for the operation to succeed.
The miscreants then trade these services with each other on the black market.
Affiliate programmes — A scheme where main organization provides a 'brand' and all the means
required to carry out orders, shipments, and payments.
• Malicious attachments
• Blackhat Search Engine Optimization
• Drive-by download attacks
Compromising of Internet-connected devices. (IoT)
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Specialized Services
Services that help criminals set up their operations
Exploit kits — Tools that collect a large number of vulnerabilities and are sold on the black market for
other criminals to use.
Customers can point their victims towards it by compromising websites or using malicious
advertisements.
Pay-per-install services (PPI) — PPI operators are proficient in setting up a botnet and having it run
properly. Other criminals can then pay the PPI operator to install malware on the infected computers
on their behalf.
130
Human Services
Payment Methods
As criminals need to have money transferred to them, they can use a number of different payment
methods, each carrying a different level of risk and being more or less familiar to the victims.
131
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
132
Cyber Kill Chain
Attack Trees : Example of an Attack
Environmental Criminology
Situational crime prevention comprises a set of theories and techniques that aim to reduce crime by
reducing the opportunities for crime.
1. Increase the effort of crime. Mitigations here include deploying firewalls and setting up automated
updates for software installed on computers.
2. Increase the risk of crime. Mitigations here include reducing payment anonymity (e.g., requesting
an ID when someone cashes money from Western Union).
3. Reduce rewards. Mitigations here include blocking suspicious payments or parcels or penalizing
malicious search results.
4. Reduce provocations. Examples here include applying peer pressure to rogue ISPs and banks.
5. Remove excuses. Typical mitigations in this category include running education campaigns or setting
up automated redirects to divert victims who would have viewed malicious content, explaining to
them what happened, and urging them to secure their systems.
133
Crime scripting.
Another useful technique that can aid the analysis of malicious activities on the Internet from the field of
criminology is crime scripting
Attack Attribution
Law enforcement is interested in understanding what criminals are behind a certain operation, and
in particular, attributing apparently unrelated cybercriminal operations to the same actors could help
build a legal case against them.
In a similar fashion, governments are interested in identifying the culprits behind the attacks that they
receive. In particular, they are interested in finding which nation-states (i.e., countries) are behind these
attacks.
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
134
Management
Module 8: Security
Operations & Incident
135
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Introduction
• Fundamental concepts
• Monitor: Data sources
• Analyze: Analysis methods
• Plan: Security information and event management
• Execute: Mitigation and countermeasures
• Knowledge: Intelligence and analytics
• Human factors: Incident management
What is it about?
• Information systems are targets of attacks
• Resources
• Information
136
Overall MAPE-K loop
137
Deployment of SOIM Technologies
• Sensors and log feeds deployed to collect traces and detect malicious behaviour
138
Intrusion Detection and Prevention Systems
139
Network Data Sources: Possible Detections
• Network packets
• Carriers of attacks (e.g. malware in payload)
• Symptoms of compromise (e.g. connection to Command & Control infrastructure)
• Network aggregates
• Deviations in traffic patterns (ports, conversations, volume)
• Network infrastructure
• Use of the Domain Name System (DNS) for command and control
• Manipulation of the routing infrastructure to reroute traffic or hide malicious activity
•
• Complicated parsing
140
Syslog
Analysis of Traces
• Objective: Generate incidents from alerts and events
• Intrusion detection sensors
• Deployed in the field
• Collect event information
• Produce alerts
• Analysis techniques
• Misuse detection
• Anomaly detection
141
From Event to Incident
Misuse Detection
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
142
Anomaly Detection
143
Data Collection in SIEMs
• Definition of
• Schema: structure and semantic of messages
• Encoding: transformation of message in bit string
• Transport protocol
Alert Correlation
• Objectives
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
144
Mitigations and Countermeasures Tools and Techniques
145
Incident Management Lifecycle
Conclusion
146
Exam
Module 9: Certification
147
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Badge
https://www.credly.com/org/certiprof/badge/cyber-security-foundation-professional-certificate-
csfpc
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM
Exam Conditions
• Multiple choice
• 40 questions
• 32 marks required to pass – 80%
• 60 minutes duration
• Closed book
You will have two attempts within 180 calendar days after you receive your initial welcome email to pass
the test at no cost.
148
www.certiprof.com
149
CYBER SECURITY FOUNDATION PROFESSIONAL CERTIFICATE CSFPC TM