Fundamentals of Information Security

chandrakakumanu85@gmail.
com
HAVPUXGTL1
Foundations of Information
Security
This file is meant for personal use by chandrakakumanu85@gmail.com only.

Sharing or publishing the contents in part or full is liable for legal action.
Agenda
✔CIA triad
✔Overview of cyber space
✔Risk management
✔Motives behind attacks
chandrakakumanu85@gmail.com
HAVPUXGTL1
✔Need for security

✔Attack surface management
✔Security - A team sport

CIA Triad
Confidentiality
HAVPUXGTL1
Integrity Availability

Confidentiality
• Ensure the secrecy of data, objects or resources.
• Only the authorized entity can access or read the data, objects
or resources.
• If confidentiality is compromised, disclosure happens.

HAVPUXGTL1

Confidentiality
Facebook Security Breach exposes accounts of

nearly 50 million users
HAVPUXGTL1

Integrity
• Protects the reliability & correctness of data.
• Only the authorized entity can alter the data, objects &
resources.
• If integrity is compromised, alteration happens.

HAVPUXGTL1

Integrity
Alert (A22-057A)
▪ Destructive malware targeting organizations in Ukraine

Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed
HAVPUXGTL1 destructive malware against organizations in Ukraine to destroy computer systems and
render them inoperable.
• On January 15, 2022, the Microsoft Threat Intelligence Center (MSTIC) disclosed that
malware, known as WhisperGate, was being used to target organizations in Ukraine.
• According to Microsoft, WhisperGate is intended to be destructive and is designed to

render targeted devices inoperable.
• On February 23, 2022, several cybersecurity researchers disclosed that malware known as
HermeticWiper was being used against organizations in Ukraine.
• According to SentinelLabs, the malware targets Windows devices, manipulating the master
boot record, which results in subsequent boot failure.
Availability
• Ensures that authorized subjects are granted timely and

uninterrupted access to data and systems.
• Data, objects and resources are available to authorized subjects.
• If availability is compromised, It can result in Destruction/Denial.

HAVPUXGTL1

Availability
Amazon Web Services Outage Affects Netflix, Reddit,

And More Websites
HAVPUXGTL1

Availability
Global outage with 6 hours of WhatsApp,

Facebook, Instagram down
HAVPUXGTL1

HAVPUXGTL1
Overview of Cyber Space

The beginning of The Internet
Tim Berners-Lee, a British scientist, invented

the World Wide Web (WWW) in 1989, while
working at CERN. The web was originally
conceived and developed to meet the
demand for automated information-sharing
between scientists in universities and
HAVPUXGTL1
institutes around the world.

Cyber Space 2022
• The image represents the internet backbone.
• The Internet backbone may be defined by the principal data routes between large,
strategically interconnected computer networks and core routers of the Internet.
• According to an internet report 278.1 Exabytes transmitted per month in 2022.

HAVPUXGTL1

Cyber Space 2022
• Cyberspace is a concept describing a widespread interconnected digital technology.
Data Centers
Global Cloud
Cloud
chandrakakumanu85@gmail.com Infra
HAVPUXGTL1
Cyber Space
Global CERT Space

Team Satellites
Critical
Infrastructure

Cyber Space 2022
Online
HAVPUXGTL1 Rights
Data
Privacy
Cyber
Security

Emergency Response Teams
A computer emergency response team (CERT) is a group of cyber security experts responsible for handling
computer security incidents. Alternative names for such groups include computer emergency readiness
team and computer security incident response team (CSIRT). A more modern representation of the CSIRT
acronym is Cyber Security Incident Response Team.
CERT teams of a few countries

HAVPUXGTL1

HAVPUXGTL1
Risk Management

Introduction to Risk Management
Threats
HAVPUXGTL1
Risk
Vulnerabilities

Threats
HAVPUXGTL1
External factors that threaten the CIA of data

Vulnerability
HAVPUXGTL1
A weakness in the system

Defining Risk
Risk
The potential for damage when a threat exploits a vulnerability.
HAVPUXGTL1
Risk = Threat x Vulnerability

Examples of Risks
Ransomware
Cyberattacks Data leaks

HAVPUXGTL1
Insider threats Phishing
Malware
Risk Analysis
Risk Level = Probability X Impact
HAVPUXGTL1
• How likely is the threat to

Probability
materialize?
• What kind of damage it can do if

Impact
the threat materializes?

Types of Risk
Compliance Risk Cyber Risk

• Information Security
• Regulatory requirements
• Data Privacy/Protection
• Theft/Crime, Dispute Risk
• Cybersecurity
• Breach report compliance
Legal Risks
Strategic Risk
• Jurisdiction of Law
HAVPUXGTL1
• Service Delivery Risk • Terms and Conditions of a
• Mergers and Acquisition Risk contract
• Intellectual Property Risk • Intellectual Property Risk
Third Party Risk Concentration Risk
• Supplier Concentration
• Cybersecurity • Industry Concentration
• Compliance • Geographic Concentration
• Operational Risk • Operational Risk

Defining Risk Management
Risk Management is the process of identifying, analyzing, assessing, mitigating or transferring risk.
Risk is the effect of uncertainty on

objectives.
HAVPUXGTL1
The possibility of damage or harm

and the likelihood that damage of
harm will be realized.

Risk Management Framework
Integration
Improvement
HAVPUXGTL1 Design
Leadership &
Commitment
Evaluation Implementation
Risk Management
• Identify & valuate • Qualitative

assets • Quantitative
• Identify threats &
vulnerabilities
Risk Risk
Assessment Analysis
HAVPUXGTL1
Ongoing Risk
Risk Mitigation
Monitoring / Response
• Reduce / Avoid
• Continuous Risk
• Transfer
Monitoring
• Accept / Reject

Qualitative Analysis
• Subjective in nature
• Uses words like “High”, “Medium” “Low” to describe the probability of the threat.
Probability (Likelihood)
HAVPUXGTL1
Impact (Consequence)

Quantitative Analysis
• Experience in Risk analysis is required.
• Involves calculating risk in numerical values.
• Assigns a dollar value with each risk event.
• Business Decisions are made on this type of analysis.

•
HAVPUXGTL1
Uses words like “High”, “Medium” “Low” to describe the probability of the threat.
• While doing a cost/benefit analysis, this is a must.

Generic Risk Model with Key Risk Factors
Threat Source Initiates Threat Event Exploits Vulnerability
HAVPUXGTL1
Causing
Organizational Adverse
Producing
Risk Impact

4 ways of Risk Treatment
Accept
HAVPUXGTL1
Transfer
Avoid
Mitigate

Residual Risk
• Refers to the risk remaining after all other known threats have been treated.
HAVPUXGTL1
Residual Risk

Risk Register
• Risk register is a log of historic and newly identified risks.

• Contains risk metadata about all the risks related to an organization.
• Also contains information about the severity of each of the risks.
• Focal point of evidence that the organization is actively managing the risks.
• Can be stored as
HAVPUXGTL1
– Excel Spreadsheet
– Database
– Governance risk and compliance tools

Sources of Information for Risk Register
Security
Incident
Internal Threat
Audit Intelligence
HAVPUXGTL1 Vulnerability
Industry
Assessment Development
Risk New Laws

Risk
and
Assessment Register Regulations

HAVPUXGTL1
Types of Cyber Attacks

10 most common Cyber Attacks
Ransomware DoS & DDOS Phishing
Man in the Cross Site

chandrakakumanu85@gmail.com SQL Injection
HAVPUXGTL1 Middle Attack Scripting
More on these in module 2
DNS Tunneling Drive by Attack Cryptojacking
IoT Based Attacks

Cyber Crime
• Any act against the law in which, a computer or communication device or computer network is
used to commit or facilitate the commission of a cyber crime.
• US Department of State Diplomatic Security Service has issued a reward of 10 Million for
information on Russian GRU officers and hackers
• The hackers have been named in a poster created about this.
HAVPUXGTL1
Cyber Crime Price (in USD)
Product
SMS Spoofing 20/Month
Phishing Kit 20-200
Custom Spyware 200
Hacker-on-Hire 200+
Zero-Day in iOS 250,000
Cyber Crime
• Computer crime happens when

– Computer is a target;
6.9 Billion USD Lost in
– Computer is a tool for the crime. Cybercrimes in 2021
Source: FBI
• Examples:
– Committing fraud
HAVPUXGTL1
– Illegal trafficking
– DDOS as a service
– Identity theft
– Privacy violation

Cyber Crime - National concern
HAVPUXGTL1

HAVPUXGTL1
Motives behind attacks

Motives behind attacks
• Financial gain
• Organized crime
• Hacktivism
• Extortion
• Competitive advantage
HAVPUXGTL1

Profile of a Hacker
A black hat hacker

• > 90% male
Hacker Profile
People • >80% under 30
behind • started at young age
HAVPUXGTL1attacks
A call center • well educated
providing “Crime as • do NOT come from low socio-
a Service” economical background

Motivation of a Hacker
I analyze people (…), In the end, human
hacking works the same way that Never underestimate the role of ego,
computer hacking works. You always challenge and thrill-seeking in
look for vulnerabilities, (…) and try to cybercrime.
exploit them.
HAVPUXGTL1
Challenge
Espionage
Money

Hacking Techniques
Amateurs hack systems, professionals hack people” – Bruce Schneier
HAVPUXGTL1
Misdirection Sympathy Authority

• They hack • They gain • Use an
you while your authority
telling you sympathy by face / name
that you have showing an / brand /
been hacked. angelic face. logo

Building defenses
There are only 2 types Awareness is the key!

• Team, I don’t care.
HAVPUXGTL1 of companies
• It won’t hit us.
• Companies that
have been hacked.
• We are too small or
not interesting
• Companies that will
enough.
be attacked.

HAVPUXGTL1
Need for Security

What is an Attack Surface?
Total possible entry points for an attacker to compromise a company:

Third Party Vendors Cloud Presence
Autonomous System Numbers

(ASN) Web Servers
HAVPUXGTL1 Web Frameworks
IP Address
(PHP,Apache etc)
Your Company
Domains NetFlow
SSL Certificates Internet Ports
WHOIS Records

Monitoring the Attack Surface
• An organization would get a Risk Score based on the findings in the attack surface monitoring tool.
• The score is a synonym of the credit score that an individual has.
• Higher the score, better the security of the organization.
• Monitoring the score of you and your vendors is critical for a safe security posture.
HAVPUXGTL1

HAVPUXGTL1
Security - A Team Sport

Collaboration is the Key
HAVPUXGTL1

Summary
In this session, we discussed about:
✔CIA Triad - The DNA of cyber security
✔Primary task of security professionals is to reduce the risks to the enterprise
✔Risk management and treatment

HAVPUXGTL1
✔Cyber space & cyber crime
✔Motives behind attacks
✔Attack surface management
✔Security being a team sport.


Fundamentals of Information Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fundamentals of Information Security

Uploaded by

Copyright:

Available Formats

chandrakakumanu85@gmail.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

✔Need for security

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

• Ensure the secrecy of data, objects or resources.

• If confidentiality is compromised, disclosure happens.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

Facebook Security Breach exposes accounts of

This file is meant for personal use by chandrakakumanu85@gmail.com only.

• Protects the reliability & correctness of data.

• If integrity is compromised, alteration happens.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

▪ Destructive malware targeting organizations in Ukraine

• According to Microsoft, WhisperGate is intended to be destructive and is designed to

• Ensures that authorized subjects are granted timely and

• Data, objects and resources are available to authorized subjects.

• If availability is compromised, It can result in Destruction/Denial.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

Amazon Web Services Outage Affects Netflix, Reddit,

This file is meant for personal use by chandrakakumanu85@gmail.com only.

Global outage with 6 hours of WhatsApp,

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

Tim Berners-Lee, a British scientist, invented

This file is meant for personal use by chandrakakumanu85@gmail.com only.

• The image represents the internet backbone.

• According to an internet report 278.1 Exabytes transmitted per month in 2022.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

• Cyberspace is a concept describing a widespread interconnected digital technology.

Global CERT Space

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

CERT teams of a few countries

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

Risk = Threat x Vulnerability

This file is meant for personal use by chandrakakumanu85@gmail.com only.

Cyberattacks Data leaks

Insider threats Phishing

Risk Level = Probability X Impact

• How likely is the threat to

• What kind of damage it can do if

This file is meant for personal use by chandrakakumanu85@gmail.com only.

Compliance Risk Cyber Risk

This file is meant for personal use by chandrakakumanu85@gmail.com only.

Risk is the effect of uncertainty on

The possibility of damage or harm

This file is meant for personal use by chandrakakumanu85@gmail.com only.

• Identify & valuate • Qualitative

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

• Involves calculating risk in numerical values.

• Assigns a dollar value with each risk event.

• Business Decisions are made on this type of analysis.

• While doing a cost/benefit analysis, this is a must.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

Threat Source Initiates Threat Event Exploits Vulnerability

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.

This file is meant for personal use by chandrakakumanu85@gmail.com only.