Cyber Security Lecture 2

Introduction to Cyber Security

• Information is an important asset for individuals and organizations, and is stored, transmitted, processed, and displayed in various formats.
• Information security is about protecting information assets from damage or harm.
• Cyber security is about protecting the confidentiality, integrity, and availability of digital systems, devices, and the information residing on them.

Fundamental Concepts in Cyber/Info Sec

• Confidentiality: preventing unauthorized disclosure of information.
• Integrity: preventing unauthorized modification or destruction of information.
• Availability: ensuring resources are accessible when required by an authorized entity.

Threats and Vulnerabilities

• Threat: any circumstance or event with the potential to cause harm to an asset by compromising security goals.
• Vulnerability: a characteristic of, or weakness in, a system that could result in harm to an asset if acted on by a threat.
• Security incident: occurs when threats and vulnerabilities coincide.
• Attack: when vulnerabilities are deliberately exploited.

Threat Actors and Motivations

• External threat actors: cybercriminals, hacktivists, nation-state attackers, and script kiddies.
• Internal threat actors: careless or negligent workers, and malicious insiders.
• Threat actors' motivations: money, ideology, political, thrill-seeking, and bragging rights.

Threat Sources

• External threats: from outside an organization or system, requiring physical and/or logical access to cause harm.
• Internal threats: from within an organization or system, potentially misusing systems or exceeding authorization.

Threat Types

• Natural events: earthquakes, fires, floods, storms, tornadoes, tidal waves, extreme temperatures, and vermin.
• Human action: accidental (no intent to cause harm) and deliberate (intended to cause harm).

Natural Events

• Examples: storms in Victoria, Australia (February 2024), Cyclone Gabrielle in New Zealand (February 2023), earthquakes in Turkiye and Syria (February 2023), Brisbane floods (February 2022), and Australian bushfires (December 2019 - January 2020).
• Natural events can compromise the availability of information assets.

Human Action - Accidental

• Examples: accidental damage to equipment, change management errors, configuration errors, lost property, misdirecting messages, operational errors, and programming errors.
• Human action can compromise any security goal, depending on the action and asset involved.

Human Action - Deliberate

• Examples: eavesdropping, espionage, extortion, fraud, industrial action, malicious code, sabotage, social engineering, theft, and vandalism.
• Deliberate human action can compromise all security goals, depending on the actions taken and the asset involved.

Malware

• Malicious software deliberately designed to breach security of digital information systems.
• Examples: viruses, worms, and Trojan horses.
• Malware can compromise confidentiality, integrity, and availability of information assets.

Emerging Technologies and the Threat Landscape

• Emerging technologies result in changes to the threat landscape.

Summary

• Many threats to information assets and systems exist.
• To protect information assets, it is essential to understand the context: what is the information asset, where is it located, and what state is the information in?
• Understanding possible threats and potential consequences is crucial for protecting information assets.

Vulnerabilities in Information Systems

• A vulnerability is a characteristic or weakness in a system that could cause harm to information assets if acted on by a threat.
• Vulnerabilities exist in all components of an information system, including:
  • Property (physical assets, hardware, software, and data)
  • People (employees, contractors, and others with access to the system)
  • Procedures (operational and management processes)

Property Vulnerabilities

• Physical assets:
  • Location and accessibility (e.g., natural disaster-prone areas, proximity to flammable materials, and ease of access for outsiders)
  • Maintenance and monitoring (e.g., perimeter protection, CCTV, and logging access)
  • Environmental conditions (e.g., temperature, humidity, and power supply)
• ICT hardware and software:
  • Reliability and robustness (e.g., susceptibility to environmental conditions and supporting infrastructure)
  • Redundancy and fail-safes (e.g., uninterruptible power supply and backup systems)
  • Source and legitimacy of software (e.g., authorized vendors, updates, and patches)
  • Configuration and misconfiguration (e.g., default settings and changes to settings)

People Vulnerabilities

• Lack of awareness and training:
  • Social engineering (e.g., phishing, scams, and manipulation)
  • Recruiting and hiring failures (e.g., inadequate background checks and vetting)
  • Inadequate training and awareness of staff regarding threats and policies
• Employee access and privileges:
  • Key personnel and critical roles
  • Unavailability or uncooperativeness of employees
  • Undocumented procedures and lack of backup

Process Vulnerabilities

• Access control and privilege management:
  • Processes for managing access and privileges
  • Use of keys, ID cards, passwords, and other authentication methods
• Backup and recovery:
  • Frequency and timing of backups
  • Storage and encryption of backups
  • Business continuity plans and disaster recovery
• Communications:
  • Acceptable use policies for communication systems
  • Processes for sending and receiving sensitive information (e.g., passwords and PINs)
• Checks and balances:
  • Detection and correction of errors
  • Separation of duties and nondisclosure agreements
• Software management:
  • Application whitelisting and auditing
  • Processes for joining and leaving the organization

Importance of Understanding Vulnerabilities

• To protect information assets, it's essential to understand:
  • What the asset is, where it is, and its value
  • Possible threats and vulnerabilities
  • Likelihood of threats and vulnerabilities coinciding
  • Potential consequences of a threat or vulnerability being exploited