Cyber Security Lecture 2

Study Notes

Information is an important asset for individuals and organizations, and is stored, transmitted, processed, and displayed in various formats.
Information security is about protecting information assets from damage or harm.
Cyber security is about protecting the confidentiality, integrity, and availability of digital systems, devices, and the information residing on them.

Confidentiality: preventing unauthorized disclosure of information.
Integrity: preventing unauthorized modification or destruction of information.
Availability: ensuring resources are accessible when required by an authorized entity.

Threat: any circumstance or event with the potential to cause harm to an asset by compromising security goals.
Vulnerability: a characteristic of, or weakness in, a system that could result in harm to an asset if acted on by a threat.
Security incident: occurs when threats and vulnerabilities coincide.
Attack: when vulnerabilities are deliberately exploited.

External threat actors: cybercriminals, hacktivists, nation-state attackers, and script kiddies.
Internal threat actors: careless or negligent workers, and malicious insiders.
Threat actors' motivations: money, ideology, political, thrill-seeking, and bragging rights.

External threats: from outside an organization or system, requiring physical and/or logical access to cause harm.
Internal threats: from within an organization or system, potentially misusing systems or exceeding authorization.

Natural events: earthquakes, fires, floods, storms, tornadoes, tidal waves, extreme temperatures, and vermin.
Human action: accidental (no intent to cause harm) and deliberate (intended to cause harm).

Examples: storms in Victoria, Australia (February 2024), Cyclone Gabrielle in New Zealand (February 2023), earthquakes in Turkiye and Syria (February 2023), Brisbane floods (February 2022), and Australian bushfires (December 2019 - January 2020).
Natural events can compromise the availability of information assets.

Examples: accidental damage to equipment, change management errors, configuration errors, lost property, misdirecting messages, operational errors, and programming errors.
Human action can compromise any security goal, depending on the action and asset involved.

Examples: eavesdropping, espionage, extortion, fraud, industrial action, malicious code, sabotage, social engineering, theft, and vandalism.
Deliberate human action can compromise all security goals, depending on the actions taken and the asset involved.

Malicious software deliberately designed to breach security of digital information systems.
Examples: viruses, worms, and Trojan horses.
Malware can compromise confidentiality, integrity, and availability of information assets.

Many threats to information assets and systems exist.
To protect information assets, it is essential to understand the context: what is the information asset, where is it located, and what state is the information in?
Understanding possible threats and potential consequences is crucial for protecting information assets.

A vulnerability is a characteristic or weakness in a system that could cause harm to information assets if acted on by a threat.
Vulnerabilities exist in all components of an information system, including:
- Property (physical assets, hardware, software, and data)
- People (employees, contractors, and others with access to the system)
- Procedures (operational and management processes)

Physical assets:
- Location and accessibility (e.g., natural disaster-prone areas, proximity to flammable materials, and ease of access for outsiders)
- Maintenance and monitoring (e.g., perimeter protection, CCTV, and logging access)
- Environmental conditions (e.g., temperature, humidity, and power supply)
ICT hardware and software:
- Reliability and robustness (e.g., susceptibility to environmental conditions and supporting infrastructure)
- Redundancy and fail-safes (e.g., uninterruptible power supply and backup systems)
- Source and legitimacy of software (e.g., authorized vendors, updates, and patches)
- Configuration and misconfiguration (e.g., default settings and changes to settings)

Lack of awareness and training:
- Social engineering (e.g., phishing, scams, and manipulation)
- Recruiting and hiring failures (e.g., inadequate background checks and vetting)
- Inadequate training and awareness of staff regarding threats and policies
Employee access and privileges:
- Key personnel and critical roles
- Unavailability or uncooperativeness of employees
- Undocumented procedures and lack of backup

Access control and privilege management:
- Processes for managing access and privileges
- Use of keys, ID cards, passwords, and other authentication methods
Backup and recovery:
- Frequency and timing of backups
- Storage and encryption of backups
- Business continuity plans and disaster recovery
Communications:
- Acceptable use policies for communication systems
- Processes for sending and receiving sensitive information (e.g., passwords and PINs)
Checks and balances:
- Detection and correction of errors
- Separation of duties and nondisclosure agreements
Software management:
- Application whitelisting and auditing
- Processes for joining and leaving the organization

To protect information assets, it's essential to understand:
- What the asset is, where it is, and its value
- Possible threats and vulnerabilities
- Likelihood of threats and vulnerabilities coinciding
- Potential consequences of a threat or vulnerability being exploited