Curtin University Fundamental Concepts of Data Security Review for Exam PDF
Document Details
Uploaded by RapidCarnelian6727
2025
Curtin University
Tags
Related
- International Business Information Systems - Introduction to Computer Security PDF
- Information Systems Security PDF
- College of Computer Science Information Systems Department 2024 PDF
- Cybersecurity & Information Security PDF
- REVIEWER-NG-MAKAKAPERPEK PDF
- ITM 100 Class 9 Securing Information Systems PDF
Summary
This Curtin University document is a review of fundamental concepts of data security for a Wednesday, 22 January 2025, 1:30pm-4:40pm exam. Topics covered include security systems, information systems, security management, and basic security concepts.
Full Transcript
SMU Classification: Restricted Fundamental Concepts of Data Security Review for Exam 1 SMU Classification: Restricted COMMONWEALTH OF AUSTRALIA Copyright Regulatio...
SMU Classification: Restricted Fundamental Concepts of Data Security Review for Exam 1 SMU Classification: Restricted COMMONWEALTH OF AUSTRALIA Copyright Regulation 1969 WARNING This material has been copied and communicated to you by or on behalf of Curtin University of Technology pursuant to Part VB of the Copyright Act 1968 (the Act) The material in this communication may be subject to copyright under the Act. Any further copying or communication of this material by you may be the subject of copyright protection under the Act. Do not remove this notice 2 SMU Classification: Restricted Major Topics ✦ Security systems (AIC) ✦ Security controls ✦ Risk assessment and change management ✦ Business impact analysis, disaster recovery planning, and testing, incident response ✦ Data backup, data masking and data erasure ✦ Ethics 3 SMU Classification: Restricted Security Systems ✦ Security triad: Availability, Integrity, Confidentiality ✦ Security management responsibilities ✦ Security requirements ✦ Availability ✦ Integrity ✦ Confidentiality ✦ Addressing general security goals ✦ Availability ✦ Integrity ✦ Confidentiality 4 SMU Classification: Restricted Information Systems (more than computer hardware..) Six components Data: database records, files, documents… Software: applications, operating systems… Hardware: server, UPS, usb devices… Network: cables, routers, LANs, WiFi… People/Users: administrators, normal users… 5 Procedures: security policies, continuity SMU Classification: Restricted Security Management Top-down Approaches The initiation, support, and direction come from top management, work their way through middle management, and then reach staff members More aligned with the organization’s long-term strategic goals More likely to be effective due to support of management May not address short-term issues Bottom-up Security program developed without getting proper management support and direction Ad-hoc, focus on short-term issues Not aligned with strategic goals, lack support from top management, difficult in large organisations, likely ineffective 6 SMU Classification: Restricted Security Management Approaches** 7 SMU Classification: Restricted Security Management Concepts Managements Security Policies Directives Specific steps or processes Standards required to meet requirements Minimum level of security. Can Baselines refer to security standards Recommended controls that Guidelines can be enabled (optional) Step by step instructions on Procedures how it will all be done 8 SMU Classification: Restricted Basic Security Concepts Vulnerability: weakness in any component of an info system Threat: a possible scenario that some threat agent exploits a vulnerability and causes damage to a system Risk: measure of the likelihood and impact of a threat Countermeasure: safeguard to prevent or mitigate risk Incident: some damage has occurred 9 SMU Classification: Restricted Basic Security Concepts** Vulnerability a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. characterizes the absence or weakness of a safeguard that could be exploited. E.g.: a service running on a server, unpatched applications or operating system software, unrestricted modem dial – in access, an open port on a firewall, lack of physical security etc. Threat Any potential danger to information or systems. A threat is a possibility that someone (person, s/w) would identify and exploit the vulnerability. The entity that takes advantage of vulnerability is referred to as a threat agent. E.g.: A threat agent could be an intruder10 accessing the network through a port on the firewall. SMU Classification: Restricted Basic Security Concepts** Risk Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact. Reducing vulnerability and/or threat reduces the risk. E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. Countermeasure It is an application or a s/w configuration or h/w or a procedure that mitigates the risk. E.g.: strong password management, a security guard, access control mechanisms within an operating system, the implementation of basic input/output system (BIOS) passwords, and security – awareness training Incident A security incident is an event that could indicate that an 11 organization's systems or data have been compromised or that SMU Classification: Restricted Basic Security Concepts** The Relation Between the Security Elements Example: If a company has antivirus software but does not keep the virus signatures up – to – date, this is vulnerability. The company is vulnerable to virus attacks. The threat is that a virus will show up in the environment and disrupt productivity. The likelihood of a virus showing up in the environment and causing damage is the risk. If a virus infiltrates the company's environment, then vulnerability has been exploited and the company is exposed to loss. The countermeasures in this situation are to update the signatures and install the antivirus software on all computers. 12 SMU Classification: Restricted Basic Security Concepts Subject: users/system/applications requiring access to either information, services or assets Object: resources in terms of information, services or assets to which the subjects would like to have access to Trust: provides a measure of reliability and truthfulness - access and privileges are assigned based on the level of "trust" associated with a subject 13 SMU Classification: Restricted Security System Principles Effective security programs are shaped by the organization’s short and long- term objectives All effective programs are based on the CIA principles triad: Confidentiality Integrity Availability 14 SMU Classification: Restricted Confidentiality Principle Confidentiality: the secrecy of the data is maintained at all times Data at rest Data in transit Examples of attacks to confidentiality Packet sniffing Social engineering, password cracking 15 SMU Classification: Restricted Addressing Confidentiality** Data classification Access control Password policy Education and training Encryption, hashing 16 SMU Classification: Restricted Integrity Principle Integrity Accuracy and reliability of information Prevent unauthorised and improper modifications Can be compromised by Malicious intents Accidents 17 SMU Classification: Restricted Addressing Integrity** Data classification and access controls Logging and auditing Separation of duties Security education and training Error detection and correction, e.g. checksum Digital signatures and certificates 18 SMU Classification: Restricted Availability Principle Availability: Adequate functionality Predictable manner Acceptable performance Recover from disruption Three causes of availability problems: software hardware unexpected circumstances 19 SMU Classification: Restricted Addressing Availability** Fault-tolerant hardware Redundancy and backup Bandwidth/infrastructure provision Monitoring, detection and filtering Security education and training Business continuity plans 20 SMU Classification: Refer : IBM Security – Restricted Cost of a Data Breach Report 2022 21 SMU Classification: Restricted Security Systems ✦ Security models ✦ Security policy vs security models ✦ Bell-Lapadula (confidentiality): no write down, no read up, read+write same level ✦ Biba (integrity): no write up, no read down, service request ✦ Clark Wilson (integrity): authorized/unauthorized users + data consistency ✦ Virtualization and cloud computing ✦ Virtualization: pros and cons ✦ Cloud computing types: public, private, community, hybrid ✦ Cloud computing services: PaaS, IaaS, SaaS ✦ Cloud computing issues 2 2 SMU Classification: Restricted Security Policy vs Security Feature Definition Model ** Security Policy A set of rules and Security Model A framework for designing and guidelines that an implementing security controls to organization follows to enforce security policies protect its assets. Purpose To outline what is To describe how the organization expected of employees, will use technology and other contractors, and others resources to protect its assets. who interact with the organization's information systems. Audience Senior management, Security professionals and security professionals, technical staff and all employees Enforcement Enforced by security Implemented through a variety of personnel security controls 2 3 SMU Classification: Restricted Security Model Security policy vs. security model What is a security model and how does it differ from a security policy? Security model - specifies the conditions that must be in place to properly support and implement a policy. Security is effective if it is inbuilt in the operating system and the applications rather than as an add-on - the security model provides a detailed set of instructions on how the software needs to be developed to support a chosen set of security policies. 24 SMU Classification: Restricted Security Models Map the abstract goals of the policy (What) to information system terms by specifying explicit data structures and techniques (How) necessary to enforce the security policy Typical elements in a security model Subjects, objects, states/conditions 25 Access methods SMU Classification: Restricted Bell-LaPadula Model Security goal to address: Confidentiality Developed by the US government with aim of securing computer system handling classified information Bell-LaPadula provides multilevel security based on a mathematical model to formally describe a state machine and the associated access conditions The multilevel security allows for users of varying level of security clearance in which the trust level determines the rules applied in the processing 26 SMU Classification: Restricted ** 27 SMU Classification: Restricted ** 28 SMU Classification: Restricted Bell-LaPadula Model** The Bell-LaPadula model uses a lattice of security levels Subject: clearance level Object: classification level Three rules Rule 1: no read up -that a subject at a given security level cannot read data that reside at a higher security level Rule 2: no write down - that a subject in a given security level cannot write information to a lower security level Rule 3: for a subject to be able to read and write to an object, the clearance and classification must be equal 29 SMU Classification: Restricted Bell-LaPadula model Examples ** A military system:a low-level soldier may only be able to read classified information that is at the SECRET level or lower. A high-level general may be able to read classified information that is at the TOP SECRET level or lower. A medical system: a doctor may be able to read the medical records of their patients. However, a receptionist may not be able to read the medical records of any patients. A financial system: a bank teller may be able to access the bank account information of their customers. However, a customer service representative may not be able to access the bank account information of any customers. 30 SMU Classification: Restricted Examples** 31 SMU Classification: Restricted Biba Model The Biba model is similar to the Bell-LaPadula model and is aimed at the handling with the issue of integrity of data within applications. The aims of the integrity based models is to prevent unauthorised access, illegal modifications and maintain consistency. Unlike the Bell-LaPadula model, it uses a lattice of integrity levels 32 SMU Classification: Restricted Biba Model** Three rules: Rule 1: no write up – a subject cannot write data to an object at a higher integrity level Rule 2: no read down - a subject cannot read data from an object at lower integrity level Rule 3: service request rule - a subject cannot request service (invoke) to subjects of higher integrity Valid for users, applications, processes 33 SMU Classification: Restricted ** 34 SMU Classification: Restricted Biba model use cases** Banks: Banks need to make sure their records are always right to meet regulations and protect their clients and themselves. Hospitals: Doctors and nurses need to have accurate medical records and ensure no one tampers with them in order to protect their patients. Government Offices: These places have a lot of important information that needs to stay correct. Protecting the data of the military and government records is a matter of national security. Online Stores: Websites need to keep track of what they’re selling, how much things cost, and 35 who’s buying what. SMU Classification: Restricted Clark-Wilson Model 3 goals of integrity models Prevent unauthorized users from making modifications Prevent authorized users from making improper modifications (separation of duties) Maintain internal and external consistency Biba only addresses the first goal Clark-Wilson addresses all goals 36 SMU Classification: Clark-Wilson Model** Restricted An integrity model establishes a security framework for use in commercial activities, such as the banking industry. This model uses the following elements: Users: Active agents Transformation procedures (TPs): Programmed abstract operations, such as read, write and modify and in fact, it Maintains integrity of CDIs. Constrained data items (CDIs): Data inside the control area. It can be manipulated only by TPs. Unconstrained data items (UDIs): Data outside the control area, such as input data. It can be manipulated by users by primitive read and write operations. Integrity verification procedures (IVPs): Check SMU Classification: Restricted Clark-Wilson Model Five elements in the model Users Transformation procedures (TPs) Constrained data items (CDIs) Unconstrained data items (UDIs) Integrity verification procedures (IVPs) 38 SMU Classification: Restricted Clark-Wilson Model** 39 SMU Classification: Restricted Clark-Wilson Model – Examples ** Financial systems: protect the integrity of financial data, such as bank account information and credit card numbers. Healthcare systems: protect the integrity of medical data, such as patient records and medical images. E-commerce systems: protect the integrity of e- commerce data, such as customer information and order details. Supply chain management systems: protect the integrity of supply chain data, such as inventory levels and shipping information. 40 Government systems: protect the integrity of SMU Classification: Restricted SEGURITY MODELS** Models Objective Field of Advantage Disadvant application age Bell LaPadula Confidentialit Military Strict security Does not y classification consider integrity BiBa Integrity Versatility Simplicity Does not and consider possibility of confidentialit combination y Clark Wilson Integrity Business Access Does not flexibility consider integrity 41 SMU Classification: Restricted Question** A financial institution is planing to develop an information system in order to provide online banking services to its customers via desktop computers and mobile devices. Describe three (3) integrity requirements of the information system to be developed. Your examples must collectively cover all aspects of integrity. 42 SMU Classification: Restricted Answer to Q** This question is about interpreting A/I/C concepts in a given scenario. Think about other security goals (A,I) and come up with other examples. For integrity, you are expected to cover: prevent unauthorized modification, prevent improper modification, and ensure consistency/reliability of information. Examples are given below Requirement 1: only the authorised customer or an authorised supervisor in a bank can perform the transactions or update the account (prevent unauthorised modification) Requirement 2: the Internet banking software must verify the action to prevent accidental and improper modifications to the account by the account holders or supervisor (prevent improper modifications by authorised users) Requirement 3: the information presented to the customer must be reliable and accurate, reflect the exact transactions Requirement 4: the system must ensure internal and external consistency, e.g. amounts sent/received must be equal (well- formed transactions) 43 SMU Classification: Restricted Data Backup ✦ Infrastructure: local, server, enterprise, SAN ✦ Types: full, incremental, differential ✦ What to backup ✦ Backup rotation ✦ Issues 4 4 SMU Classification: Restricted Local Backup Takes more media Users may have to be relied to do their own backups Less bandwidth taken HDD, Tape, CD, DVD etc. SMU Classification: Restricted Server Backup Back up data on a local or centralized server The local file server stores most or all of the data of the enterprise Data made available to clients via the LAN, using common IP network protocols (e.g. NFS, FTP, or CIFS) Backup applications protect data on the local server by making copies of the data directly to the local backup system. Cons oTakes more bandwidth oUsers must copy data to server oLimited data growth 46 SMU Classification: Restricted Enterprise Backup Enterprise-wide network clients automatically move backup data, via a network, to a backup drive connected to a backup server. Automated libraries with multiple backup drives allow multiple backup streams to be received from multiple clients in parallel. Backup clients are deployed on every system or workstation and send data on a schedule Cons More bandwidth More expensive Still limited with data growth 47 SMU Classification: Restricted Server-less Backup Data is moved via a separate backup network or fibre channel SAN directly from disk to tape Only the main servers are connected to these fast and expensive networks Workstations are connected via the TCP/IP network and data is written from the client directly to a tape drive via the relatively slow, but much cheaper, LAN. A server must be involved in initiating and controlling the data moving over the SAN Cons o Very expensive 48 SMU Classification: Restricted SAN vs Server Backup Feature SAN LAN-based Server Backup Performance Faster data transfer speeds Slower data transfer speeds Management Centralized management Decentralized management Scalability Highly scalable Moderately scalable Storage consolidation Consolidation possible Limited storage consolidation High availability with Availability redundancy Lower availability compared to SAN Higher upfront and ongoing Lower upfront costs, potentially Cost costs lower ongoing costs More complex setup and Complexity management Simpler setup and management Requires robust security Less complex security Security measures considerations Suitability for Small Deployments Might be overkill Can be cost-effective 49 SMU Classification: Restricted Backup Types** Full backup Everything except swap files Not very efficient with media or time Usually performed weekly Differential backup Only files modified since last full backup Archive bits must exist for each file and directory Incremental backup All the files that have changed since the last full or incremental backup and sets the archive bit to 0 Usually performed daily More efficient on network traffic, time and media 50 SMU Classification: Restricted Backup Types** Full backup Everything except swap files Not very efficient with media or time Usually performed weekly Differential backup Day 1: Full Backup (captures all data) Day 2: Differential Backup 1 (captures changes since Day 1) Day 3: Differential Backup 2 (captures changes since Day 1, not just Day 2) Incremental backup Day 1: Full Backup (captures all data) Day 2: Incremental Backup 1 (captures changes since Day 1) Day 3: Incremental Backup 2 (captures changes since Day 2) 51 SMU Classification: Restricted What to back up? Data files Domain or tree databases Domain controller registries Don’t bother with program files? temp files noncritical files seldom changed files SMU Classification: Restricted Retention period Rotation how far back do you want to keep Minimum rotation two media sets, rotate on each backup Light Security rotation four media sets, labeled "Mon", "Wed", "Fri 1" and "Fri 2". Starting on the first Friday, a full backup is done to "Fri 1", and then it is stored off-site Medium Security rotation daily backups with rotating sets weekly backups with rotating set SMU Classification: Restricted Offsite Storage and Vaulting o Electronic vaulting: backup via third party o It is regular and automatic o Specialised centers against computing and physical disaster o 24x7 monitoring and user support o Issues: o Who has access o Speed o Natural disaster protection o Intrusion detection/security o Encryption/transfer o Guarantees 54 SMU Classification: Restricted Backup Issues o Size needed o Speed needed o Cost – (often cost per terabyte) o Automation o Software conflicts o Backup software compatibility with OS o Locked or open files o Tape life o Topology o Always perform data verification SMU Classification: Restricted Data Masking ✦ Why and when ✦ Requirements ✦ Methods: substitution, shuffling, variance, nulling out, encryption, masking out ✦ Types: static, dynamic ✦ Pros and cons of each type ✦ Cloud data masking 5 6 SMU Classification: Restricted Data Masking What Process of hiding original classified data Same format, different values Where Testing applications/systems Training Third-party analytics Security requirements (invisible to operators) 57 SMU Classification: Restricted Data Masking Requirements Must remain usable for testing purposes. Must look real and appear consistent. Not able to be reverse engineered. Must remain meaningful, e.g. credit card validation Must have sufficient changes to the original data 58 SMU Classification: Restricted Data Masking Techniques Substitution Different authentic value is substituted for existing value Requires large substitution datasets Shuffling Randomly shuffled within the column Should not be used in isolation Difference between the two?? 59 SMU Classification: Restricted Data Masking Techniques Number and date variance +/- 10% can still be meaningful Date shifting Masking out Similar to nulling out except keeping some of the data intact, e.g. XXXX XXXX XXXX 2345 not effective for testing 60 SMU Classification: Restricted Data Masking Techniques Encryption Most complex Requires key base on user rights Not effective Nulling out / deletion Simplistic Cannot be used where software requires validation 61 SMU Classification: Restricted Types of Data Masking Static Test data generated from backup of original data Dynamic Masking happens at runtime, dynamically and on demand Avoid the need for a second data source to store masked data On-The-Fly Copy from original to test environment Good for sharing data One record at a time 62 SMU Classification: Types of Data Masking Restricted Both dynamic data masking and on-the-fly data masking refer to the technique of masking sensitive data in real-time as it's being accessed or used. The original data remains encrypted or hidden, and only the masked version is revealed to users or applications. Dynamic Dynamic data masking happens at runtime, dynamically, and on-demand so that there need not be a second data source where to store the masked data dynamically. Dynamic data masking enables several scenarios, many of which revolve around strict privacy regulations e.g. the Singapore Monetary Authority or the Privacy regulations in Europe. Dynamic data masking is attribute-based and policy-driven. Policies include: Doctors can view the medical records of patients they are assigned to (data filtering) Doctors cannot view the SSN field inside a medical record (data masking). On-The-Fly transferring data from environment to environment without data touching the disk on its way. Good for sharing data, one record at a time "On-the-fly" might emphasize the immediate masking that happens during data 63 access. SMU Classification: Restricted Secure Data Erasure ✦ Information classification, ✦ Media types ✦ Validation ✦ Categories: ✦ Disposal: throwing away the device or putting it in the trash. ✦ Clearing: using software to overwrite the existing data with random characters or zeros ✦ Purging: using specialized hardware or software to overwrite data multiple times with specific patterns, making recovery virtually impossible., ✦ Destroy: physically damaging the storage media to the point where data recovery is physically impossible. 6 4 SMU Classification: Restricted Virtualization 65 SMU Classification: Restricted Virtualization and Cloud Computing What is cloud computing? A model which enables the combination of hardware, software, networking that allows the delivery of on- demand computing resources via the Internet or private network. What are the categories of cloud solutions? Public cloud Community cloud Private cloud Hybrid cloud 66 SMU Classification: Restricted Cloud Computing Issues Virtualization issues, e.g. hypervisors Network availability Cloud provider viability Security incidents Transparency 67 SMU Classification: Restricted Cloud Computing Issues Cross VM traffic Cloud data storage Loss of physical control New risks new vulnerabilities 68 SMU Classification: Restricted Common Attacks Ransomware attacks Denial of service/Distributed denial of service (DoS/DDoS) attacks Data exfiltration SQL Injection attacks Cross site scripting (XSS) attacks Phishing attacks Virus/malware 69 SMU Classification: Common Attacks** Restricted Phishing attacks Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more in-depth version of phishing that requires special knowledge about an organization, including its power structure. Whaling phishing is a sophisticated cyberattack that targets high-level executives and other individuals with significant authority within an organization. The goal is to trick them into sharing sensitive information or taking actions that can lead to financial losses or damage to the organization's reputation. 70 SMU Classification: Restricted Ethics ✦ Ethics vs laws ✦ Enforcing policy ✦ Dissemination, review, comprehension, compliance, enforcement ✦ Professional organisations and their role in promoting ethical behaviour ✦ Causes of unethical behaviour ✦ Ignorance, Accident, Intent ✦ Preventing unethical behaviour ✦ Education & training, penalty, prosecution ✦ Ethical issues ✦ IP & software infringement ✦ Security rights, Hackers ✦ Illegal downloading/sharing of materials ✦ Privacy issue: private vs public information, corporate handling of personal data ✦ Misuse of corporate resources 7 1 SMU Classification: Restricted Ethics and Data Security Why is ethics important from the point of view of data security? It is critical to understand the ethical responsibilities of your work as you will be dealing with privacy and secrecy issues in a large part of your work. All security setups and incident investigations have a legal and ethical components. How you deal with the ethical component of your work is crucial as it can increase the liability of both the organization that employs you and yourself. Organizations should demand that the employees have a strong ethical behaviour. 72 SMU Classification: Restricted Ethics and Data Security Security setup, as mentioned before, specifies the rules and procedures which ultimately determine the behaviour of employees. A computer security professional maintains security by developing and helping with the implementation of security policies. The security policies are enforceable when the following requirements are met: 1) the policy has been communicated to all staff 2) the policy is easily comprehended by all staff 3) compliance with the policy is agreed with by the staff 4) the enforcement is uniform and consistent 73 SMU Classification: Restricted Ethics and Professional Organizations There is no universal binding ethics code for computer security professionals. Different international professional organizations (ACM, IEEE, SANS, ISACA) provide their own guidelines on ethical behaviour. Australian Computer The 74 Society (ACS) has its own SMU Classification: Restricted Ethics and Professional Organizations** International professional organizations : ACM : Association of Computing Machinery IEEE : The Institute of Electrical and Electronics Engineers SANS : System Administration, Networking, and Security Institute ISACA : The Information Systems Audit and Control Association ISSA : The Information Systems Security Association provide their own guidelines on ethical behaviour. The Australian Computer Society (ACS) has its own recommendations on ethics.75 SMU Classification: Restricted Computer Ethics Institute Ten commandments: 1.Thou shalt not use a computer to harm other people. 2.Thou shalt not interfere with other people's computer work. 3.Thou shalt not snoop around in other people's computer files. 4.Thou shalt not use a computer to steal. 5.Thou shalt not use a computer to bear false witness. 6.Thou shalt not copy or use proprietary software for which you have not paid. 7.Thou shalt not use other people's computer resources without authorization or proper compensation. 8.Thou shalt not appropriate other people's intellectual output. 9.Thou shalt think about the social consequences of the program you are writing or the system you are designing. http://computerethicsinstitute.org/images/ 10.Thou shalt always use a computer in ways that ensure TheTenCommandmentsOfComputerEthics.pdf consideration and respect for your fellow humans 76 SMU Classification: Restricted Australian Computer Society (ACS) Code of Ethics The primacy of the public interest The enhancement of quality of life Honesty Competence Professional development Professionalism https://www.acs.org.au/content/dam/acs/acs-documents/Code-of-Ethics.pdf 77 SMU Classification: Restricted ACS Case Study Joe is working on a project for his computer science course. The instructor has allotted a fixed amount of computer time for this project. Joe has run out of time, but has not yet finished the project. The instructor cannot be reached. Last year Joe worked as a student programmer for the campus computer centre and is quite familiar with procedures to increase time allocations to accounts. Using what he learned last year, he is able to access the master account. Then he gives himself additional time and finishes his project. SMU Classification: Restricted ACS Code of Professional Conduct values and relevant clauses of the Code of Professional Conduct 1.2.1 Public Interest a) identify those potentially impacted by your work and explicitly consider their interests; 1.2.4 Competence f) accept responsibility for your work; 1.2.6 Professionalism f) refrain from any conduct or action in your professional role which may tarnish the image of the profession or detract from the good name of the ACS; SMU Classification: Restricted Ethics and Ethical Behaviour Ethics and ethical behaviour vary depending on the country or culture that one has interaction with. This is a significant problem especially when attempting to handle groups across area with different ethical expectations and enforcement mechanisms. Education and training are key in reducing unethical behaviour. Causes of unethical behaviour: 1. Ignorance 2. Accident 3. Intent 80 SMU Classification: Restricted Preventing Unethical Behaviour The computer security professionals have a reponsibility to prevent unethical or illegal behaviour. Deterrence can be enhanced if there is a concerted effort to highlight through training the type of behaviour that is unacceptable and the consequences of such behaviour, specifically one needs to ensure that: 1) the penalty is appropriate to discourage repeat offending 2) the likelihood that the offence is detected is high 3) the enforcement of the penalties is carried out according to the security policy 81 SMU Classification: Restricted Ethical Issues 1) Security rights 2) Hackers 3) Domains 4) Illegal Downloading of Material 82 SMU Classification: Restricted Ethical Issues 5) Private vs public information 6) Commercial collection of personal information 7) Misuse of corporate resources 8) Software piracy 83 SMU Classification: Restricted Basic Security Concepts Threat: a possible scenario that some threat agent exploits a vulnerability and causes damage to a system Vulnerability: weakness in any component of an info system Risk: measure of the likelihood and impact of a threat Countermeasure: safeguard to prevent or mitigate risk Incident: some damage has occurred 84 SMU Classification: Restricted Security System Goals Protecting the customers : 1) the customer information secrecy and integrity 2) the customers have access to only their own data and services 3) providing the services, interactivity and accessibility in accordance with the clauses outlined in the Protecting the service providers : 1) the secrecy and integrity of the service provider data 2) strict access controls 3) the interaction between the organization and the service providers is both fault-free and secure Protecting the infrastructure : 1) Least Privilege is used to reduce the chance of unauthorised access to data and assets 2) support for the AIC principles for user access and 85 interaction as well as service provision SMU Classification: Restricted Security System Principles Effective security programs are shaped by the organization’s short and long-term objectives All effective programs are based on the CIA principles triad: Confidentiality Integrity Availability 86 SMU Classification: Restricted Cyber Treats – Common Attacks Ransomware attacks Denial of service/Distributed denial of service (DoS/DDoS) attacks Data exfiltration SQL Injection attacks Cross site scripting (XSS) attacks Phishing attacks Virus/malware 87 SMU Classification: Restricted Need to Know Generally, how attacks happen What issue: Availability, Integrity, or Confidentiality? How to address the threat? Prevention Detection Correction Recovery 88 SMU Classification: Restricted Access Control Concepts Identity: represents a person, an organisation, an application, or a device. The attributes related to an entity and Identification : binds a user to appropriate controls based on the identity (1st step access control) Authentication : verifying the identity of a user (2nd step access control). Three authentication factors Something a person knows (knowledge) Something a person has (ownership) Something a person is (characteristic) Authorization : Defines what resources a user needs and type of access to those resources. (final step access control) Three access control models: DAC: Discretionary access control (identity) MAC: Mandatory access control (policy) RBAC: Role-based access control (role) Accountability : Ensures that users are accountable for their 89 actions SMU Classification: Restricted ** 90 SMU Classification: Restricted Security Controls Safeguards to prevent, detect, correct or minimise security risks. Set of actions for data security to actionable ways to stop today's most pervasive and dangerous attacks. prioritize and focus a smaller number of actions with high pay-off results. derived from the most common attack patterns highlighted in the leading threat reports. 91 SMU Classification: Restricted Security Controls 92 SMU Classification: Restricted Administrative controls: These include the developing and ** publishing of policies, standards, procedures, and guidelines; risk management; the screening of personnel; conducting security- awareness training; and implementing change control procedures. Technical controls (also called logical controls): These consist of implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices, and the configuration of the infrastructure. Physical controls: These entail controlling individual access into the facility and different departments, locking systems and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls. 93 SMU Classification: Restricted Controls Each of the controls can be further classified: Deterrent Preventative Detective Corrective Recovery/Compensatory 94 SMU Classification: Restricted Administrative controls developing and publishing of: policies, standards, procedures, and guidelines. risk management screening of personnel security-awareness training change control procedures 95 SMU Classification: Restricted Technical (Logical) controls identification and authentication methods security devices configuration of the infrastructure Examples : Preventative : Encryption, Smart cards, Network authentication Access control lists (ACLs), File integrity auditing software, patching & IPS Detective : Security logs. NIDS & HIDS Corrective/Recovery: IPS and restore from backups 96 SMU Classification: Restricted Physical controls controlling individual access into the facility locking systems and removing unnecessary drives/peripheral devices protecting the perimeter of the facility monitoring for intrusion environmental controls Challenges : Physical security breaches can result in more issues than a worm attack easily concealable USB drives ability so synchronize files across all devices countermeasures will vary 97 Physical controls** SMU Classification: Restricted Physical security breaches can result in more issues than a worm attack easily concealable USB drives ability so synchronize files across all devices countermeasures will vary 98 SMU Classification: Restricted Physical controls Automated barriers & bollards Building management systems like Heating, HVAC, lifts/elevators control, etc. CCTV- Closed Circuit TV Electronic article surveillance - EAS Fire detection GIS mapping systems Intercom & IP phone Lighting control system Perimeter intrusion detection system Radar based detection & Perimeter surveillance radar Security alarm Video wall Power monitoring system Laptop Locks 99 SMU Classification: Restricted Controls 100 SMU Classification: Restricted Access Control Practices Deny access to systems to undefined users or anonymous accounts. Limit and monitor the usage of administrator and other powerful accounts. Suspend or delay access capability after a specific number of unsuccessful logon attempts. Remove obsolete user accounts as soon as the user leaves the company. Suspend inactive accounts after 30 to 60 days. 101 SMU Classification: Restricted Access Control Practices Enforce strict access criteria. Enforce the need-to-know and least-privilege practices. Disable unneeded system features, services, and ports. Replace default password settings on accounts. Limit and monitor global access rules. Remove redundant resource rules from accounts and group memberships. 102 SMU Classification: Restricted Access Control Practices Remove redundant user IDs, accounts, and role- based accounts from resource access lists. Enforce password rotation. Enforce password requirements (length, contents, lifetime, distribution, storage, and transmission). Audit system and user events and actions, and review reports periodically. Protect audit logs. 103 SMU Classification: Restricted Top four controls Application whitelisting Patch applications Patch operating systems Restrict administrative privileges 104 SMU Classification: Restricted Commonly Used Security Methods To address the key requirements of the AIC triad, one can employ a number of commonly used security methods: Least privilege Defense-in-depth Minimization Keep things simple Compartmentalization Use choke points Fail securely/safely Leverage unpredictability 105 Commonly Used Security SMU Classification: Restricted Methods Least privilege do not provide more privileges than are required this applies to both users and applications Defense-in-depth the security system should have multiple layers and the defense layers should be of different types the security setup should use a mixture of measures which enable both the prevention and monitoring of the security system Minimization the system should not run any applications that are not strictly required to complete its assigned task Keep things simple a security system should be kept simple as any complexity introduced leads to insecurity in the overall system 106 Commonly Used Security SMU Classification: Restricted Compartmentalization Methods to prevent the compromise of the entire system, use a compartment approach to the system design & implementation Use choke points the traffic can be easier to analyse and control by using choke points Fail securely/safely: analyse the failure modes and ensure that in case of a system failure, the loss/damage is minimized Leverage unpredictability Do not provide any information about the system's security setup - users and clients can know that a system but not any specific details Separation of duties should not use a single staff member to do multiple security 107 related duties - separate duties and employ a rotation SMU Classification: Restricted Elements of Defense in Depth (DiD)** 110 SMU Classification: Restricted Examples of defense in depth** Segmenting your network. Network segmentation is the practice of dividing your network into smaller networks, or segments. This can help to isolate critical systems and data from less critical systems and data. If one segment is compromised, the damage can be limited to that segment. Using intrusion detection and prevention systems (IDS/IPS). IDS/IPS systems monitor your network for malicious activity. If they detect suspicious activity, they can alert you or take action to block the activity. Implementing data loss prevention (DLP) solutions. DLP solutions can help to prevent sensitive data from being leaked or stolen. They can do this by monitoring your network for sensitive data and blocking attempts to transmit that data outside of your organization. Backing up your data regularly. If your data is compromised, a backup can help you to restore it. Make sure you back up 111 your data regularly and store it in a secure location. SMU Classification: Restricted Some examples** Least privilege: A bank teller should only be given access to the customer accounts that they are responsible for. This helps to protect customer data from unauthorized access. Minimization: A system that tracks user activity should only collect the data that is necessary to track user activity, such as the user's IP address and the time and date of the activity. Collecting more data than is necessary increases the attack surface and makes it more likely that an attacker will be able to exploit the system. Keep things simple: A system that allows users to upload files should have a simple file upload process that is easy to understand and use. This helps to reduce the 112 risk of users uploading malicious files that could infect the SMU Classification: Restricted Examples ** Principle Description Example Users should only A customer service representative be given the should only be given access to Least privileges they privilege customer information, not financial need to perform their job duties. information. Systems and A system that only collects the data applications Minimizatio should be that is absolutely necessary, such as n designed to be as the user's IP address and the time and small and simple as possible. date of the activity. Systems and applications should be Error messages should be clear and Keep things designed to be as simple concise. easy to use and understand as possible. 113 SMU Classification: Restricted Business Continuity** 114 SMU Classification: Restricted Business Continuity** Prevention: – Actions taken to reduce or eliminate the likelihood and/ or effects of an incident. This element is largely covered by Risk Management Planning. Preparedness: – Actions taken prior to an incident to ensure an effective response and recovery. This element is largely covered by Business Impact Analysis. Response: – Actions taken to respond to an incident in terms of containment, control and minimising impacts. This element is largely covered by Incident Response Planning. Recovery: – Actions taken to recover from an incident in order to minimise disruption and recovery times. This element is largely covered by Recovery Planning 115 SMU Classification: Restricted BC vs SC** Business continuity (BC) and security controls (SC) are two important aspects of an organization's risk management strategy. BC is concerned with ensuring that the organization can continue to operate in the event of a disruption, while SC is concerned with protecting the organization from threats. 116 SMU Classification: How BC and SC are linked ? Restricted ** 1. SC can help to prevent disruptions from occurring in the first place. E.g. a strong firewall can help to protect the organization from cyberattacks, which could disrupt operations. 2. SC can help to mitigate the impact of a disruption if it does occur e.g, a backup plan can help the organization to restore its operations quickly after a disaster. 3. BC can help to identify and prioritize risks. By understanding how a disruption could impact the organization, BC can help to identify the most important risks to address with SC. 4. Finally, BC and SC should be integrated into the 117 organization's overall risk management framework. SMU Classification: Restricted Risk Management Risk An uncertain event that, if it occurs, has a positive or negative effect on objectives Risk Management A proactive attempt to recognize and manage internal events and external threats that affect the likelihood of success What can go wrong (risk event) How to minimize the risk event’s impact (consequences) What can be done before an event occurs (anticipation) What to do when an event occurs (contingency plans) 118 SMU Classification: Restricted SMU Classification: Restricted Risk Management How to determine risk Loss/damage Likelihood Effectiveness of existing controls Uncertainty of vulnerability knowledge Residual risk Risk not yet addressed by existing controls Residual risk=Total risk x Control gap 120 SMU Classification: Restricted SMU Classification: Restricted Risk Management Organizations faces threats of different types when they are online To handle the threats, a risk plan is required The risk plan has four aims: 1) to address risks can be removed 2) to mitigate the risks which cannot be eliminated 3) to specify the controls that reduces some risks to an acceptable level 4) to address risks using insurance means 122 SMU Classification: Restricted Risk Management Major undertakings: Identify risks: examine and document security posture of IT and the risks it faces Assess risks: determine the extent to which assets are exposed or at risk Address risks: recommend/apply security controls 123 SMU Classification: Restricted SMU Classification: Restricted Risk Management Risk assessment: formal process Planning Documentation Assurance Who/How Periodic review Appropriately qualified and experienced person 125 SMU Classification: Restricted Risk Management Risk assessment Quantitative risk assessment Qualitative risk assessment Some concepts Single loss expectancy (SLE) = asset value x exposure factor (EF) Annualized rate of occurrence (ARO) Annualized loss expectancy (ALE) Cost-benefit analysis (CBA) 126 SMU Classification: Restricted Risk Management** Single loss expectancy (SLE) : value associated with the most likely loss from an attack asset value x exposure factor (EF): expected percentage of loss that would occur from a particular attack e.g the backup data centre suffers 50% damage : EF=0.5 Annualized rate of occurrence (ARO) : probability of a threat occurrence in a yearly (annualized) value Annualized loss expectancy (ALE): annually overall lost potential per risk 1 2 7 SMU Classification: Restricted Cost Benefit Analysis** The Cost Benefit Analysis (CBA) Formula: Subtract the revised ALE, estimated based on the control being in place, known as ALE(post). Complete the calculation by subtracting the annualized cost of the safeguard (ACS). CBA = ALE(prior) - ALE(post) - ACS 128 SMU Classification: Restricted Cost Benefit Analysis Examples ** 129 SMU Classification: Restricted Asset assessment Tangible vs intangible assets Asset assessment questions cost to obtain asset maintenance cost value to the organization role of asset value to opponents legal damage is asset is lost replacement cost selling asset value 130 SMU Classification: Restricted Risk Management Risk analysis identify weaknesses, potential attacks and estimate potential damage specify methodology to handle attacks enable cost vs benefit evaluation enable ranking of threats and appropriate resource allocation need support & direction & action from management 131 SMU Classification: Restricted Risk Management Risk assessment Risk assessment can be a time- consuming process to meet standards Risk assessment can be done with a combination of tools which offer the benefit of speeding up and the process Use of tools is optional, organisations need to examine their pros & cons 132 SMU Classification: Restricted Risk Management Strategies to address risks Defend Transfer Mitigate Terminate/Avoid Accept 133 SMU Classification: Restricted Defense ** 134 SMU Classification: Restricted Transfer ** 135 SMU Classification: Restricted Mitigate ** 136 SMU Classification: Restricted Terminate ** 137 SMU Classification: Restricted Accept ** 138 SMU Classification: Restricted ** 139 SMU Classification: Restricted Change Management What is change management? Why change management? IT change management process 140 SMU Classification: Restricted Changes Different types of change New hardware (computers, IT equipment, etc.) New software (applications, OS, etc.) Patches and updates New networking devices New technologies Policies, procedures, standards Merger/acquisition 141 SMU Classification: Restricted Why Change Management? Unmanaged changes to IT systems and networks can recklessly increase risk to enterprises Modern systems are complex and even a minor change can require a proper change process The purpose of change management is to prevent unintended consequences 142 SMU Classification: Restricted Change Procedure Requests Impact assessment Approval Build and test Notification Implementation Validation Documentation 143 SMU Classification: Restricted Change Management** Manage the impact via the following: SLA’s : changes to the SLA shall be controlled through a formal change process which includes contractual amendments. Version Control :Any software change and/or update shall be controlled with version control. Older versions shall be retained in accordance with corporate retention and storage management policies Testing : Changes shall be tested in an isolated, controlled, and representative environment 1 4 4 SMU Classification: Restricted Change Management** Approval Communicating Changes Implementation Roll back Documentation Monitoring Business Continuity 1 4 5 SMU Classification: Restricted Change Review Change monitoring Checking the desired functionality Monitoring network, server, performance Measuring success of the change Technical objectives Business objectives Change management assessment 146 Business continuity SMU Classification: Restricted Roles and Responsibilities Change advisory board (CAB) Change manager Change administrator Change initiator Change coordinator 147 SMU Classification: Restricted Disaster Recovery Plan(DRP)** is a documented process that outlines how an organization will recover its critical functions in the event of a disaster. should include steps for identifying, assessing, and mitigating risks; restoring data and systems; and resuming operations. 148 SMU Classification: Restricted DRP DRP : Disaster Recovery Plan (DRP) is a documented process that outlines how an organization will recover its critical functions in the event of a disaster. should include steps for identifying, assessing, and mitigating risks; restoring data and systems; and resuming operations. 149 SMU Classification: Restricted BCP vs DRP Business Continuity Planning Vs. Disaster Recovery Planning Business continuity planning (BCP) is a process designed to reduce the organization’s business risk arising from an unexpected disruption of the critical functions/operations (manual or automated) necessary for the survival of the organization. Disaster recovery plan (DRP) is a sub- component of business continuity plan. DRP typically details the process IT personnel will follow to restore the computer systems and the operational facilities after a disaster. 150 SMU Classification: Restricted BCP vs DRP** 151 SMU Classification: Restricted Disasters Disasters are disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting business operations. There are three classifications of threats that can cause disasters: Natural earthquakes, floods, tornados, severe thunderstorms and fire etc. Environmental unavailability resources, electrical power, telecommunications, equipment failure and software error etc. Human operator error, terrorist attacks, hacker attacks or viruses etc. 152 SMU Classification: Restricted BCP Process The business continuity planning process can be divided into the following lifecycle phases: Conduct Business Impact Analysis (BIA) Develop Continuity of Operations Plan(COOP) and Disaster Recovery Plan(DRP) Test the plan and conduct training and exercises Maintain the plan 153 SMU Classification: Restricted Business Impact Analysis Identify critical activities Identify resources to support each activity Evaluate the impact of ceasing to perform these activities and identify priorities Determine recovery criticality (RPO, RTO, MTD) 154 SMU Classification: Restricted Recovery Parameters Maximum tolerable downtime (MTD) outage time that can be tolerated by the company as a result of various unfortunate events The recovery point objective (RPO) determined based on the acceptable data loss in case of disruption of operations. It indicates the earliest point in time to which it is acceptable to recover the data. The recovery time objective (RTO) determined based on the acceptable downtime in case of a disruption of operations. It indicates the earliest point in time at which the business operations must resume after disaster. Work recovery time (WRT) is the maximum tolerable amount of time a DR team has to verify that systems and data 155 protection are online and operational. SMU Classification: Restricted Recovery Parameters** Work recovery time (WRT) is the maximum tolerable amount of time a DR team has to verify that systems and data protection are online and operational. . 156 SMU Classification: Restricted 157 Recovery Parameters** SMU Classification: Restricted Scenario: A major online retailer experiences a server failure, disrupting its website and mobile app, preventing customers from making purchases and accessing their accounts. Key Terms: Maximum Tolerable Downtime (MTD): The maximum amount of time a business process can be unavailable before causing unacceptable consequences. Recovery Point Objective (RPO): The maximum amount of data loss that an organization can tolerate during a disruption. Recovery Time Objective (RTO): The target time within which systems and applications must be restored to operation after an outage. . Work Recovery Time (WRT): The time it takes to resume normal business operations after systems and applications are restored. Analysis: 1.MTD: The retailer determines that it can tolerate a maximum of 2 hours of downtime before experiencing significant revenue loss and customer dissatisfaction. 2.RPO: The retailer decides that it can afford to lose up to 15 minutes of order data without causing major issues. 3.RTO: To meet the MTD, the retailer sets an RTO of 1 hour to restore all critical systems. 4.WRT: After the systems are restored, the retailer estimates that it will take an additional 30 minutes to resume normal operations, including system checks and customer notifications. How these numbers are related: MTD sets the overall limit for acceptable downtime. RTO and WRT directly contribute to the MTD. The faster the systems can be restored (RTO) and the quicker normal operations can resume (WRT), the closer the total downtime gets to the MTD. RPO is influenced by the MTD, as a shorter MTD often requires a shorter RPO to minimize data loss and allow for quicker recovery. In this example: The retailer's MTD is 2 hours. Their RTO is 1 hour, and their WRT is 30 minutes. This gives a total recovery time of 1 hour 30 minutes, which falls within their MTD of 2 hours. 158 SMU Classification: Restricted Recovery Parameters Maximum tolerable downtime (MTD) outage time that can be tolerated by the company as a result of various unfortunate events Nonessential 30 days Normal 7 days Important 72 hours Urgent 24 hours Critical Minutes to hours 159 SMU Classification: Restricted Recovery Parameters Both RPO and RTO are based on time parameters. The lower the time requirements, the higher the cost of recovery strategies. If the RPO is in minutes (lowest possible acceptable data loss) then data mirroring should be implemented as the recovery strategy. If the RTO is less, then the alternate site might be preferred over a hot-site contract. the lower the RTO, the lower the disaster tolerance. Disaster tolerance is a time gap within which the business can accept the non-availability of IT facilities. 160 SMU Classification: Restricted Offsite Facilities Alternate Processing Facilities Hot sites Warm sites Cold sites Mobile sites Reciprocal agreements 161 SMU Classification: Restricted Offsite Facilities** 162 SMU Classification: Restricted Contingency Plan Supporting information & Appendices Business impact analysis Emergency contacts Recovery procedures Main phases Activation and notification Recovery Reconstitution 163 SMU Classification: Restricted Testing Testing a business continuity plan is crucial for the success of the plan. The test is conducted to ensure that the plan is effective in case of all eventualities. 164 SMU Classification: Restricted Testing A sound BCP should be complete and focused. Should be manned by properly trained and competent personnel. Requires close coordination with external vendors. Should have capability of backup site to conduct prescribed processing with the capacity to retrieve vital records along with the configuration of equipment which should be relocated to the recovery site. 165 SMU Classification: Restricted Testing The BCP tests should be conducted during the slack period. It is important that realistic prime time conditions be simulated. even if the BCP test is conducted during off-peak hours. 166 SMU Classification: Restricted Testing Methods Structured walk-through test Let’s get in a room and talk about this. Simulation test Everyone take your places. Okay, action! Parallel test Let’s do a little processing here and a little processing there. Full-scale test Shut down and move out! 167 SMU Classification: Restricted Testing Methods Structured walk-through test walks through different scenarios of the plan from beginning to end to make sure nothing was left out. This also raises the awareness of team members about the recovery procedures. Simulation test operational and support functions, or their representatives, come together to practice executing the disaster recovery plan based on a specific scenario. simulation test continues up to the point of actual relocation to an offsite facility and actual shipment of replacement equipment. 168 SMU Classification: Restricted Testing Methods Parallel test Ensure that the specific systems can actually perform adequately at the alternate offsite facility. Some systems are moved to the alternate site and processing takes place there. The results are compared with the regular processing that is done at the original site.. Full-scale test The original site is actually shut down, and processing takes place at the alternate site Most risky and can impact the business in very serious and devastating ways if not managed properly; therefore, senior management approval needs to be obtained prior to performing full-interruption tests. 169 SMU Classification: Restricted Testing Methods** Structured Walkthroughs: are detailed exercises that involve the DR team actually performing the steps in the DR plan. Simulations: are the most realistic type of DR testing, and they involve using actual IT systems and data to simulate a disaster. Parallel test: involves running the DR plan alongside the production environment. Full-Scale test: involves actually interrupting the production environment170 SMU Classification: Restricted BCP Maintenance Review and maintenance Integrate into change control process Update plan Distribute after updating 171 SMU Classification: Restricted Incident Response Computer security incident Unauthorized or unlawful attack against information asset (AIC) Occurred/completed Usually less significant than disaster Incident response (IR) More reactive than proactive Plan for, detect, and correct impact Phases: planning, detection, reaction, recovery, review 172 SMU Classification: Restricted IR Planning Preparation work is KEY to successful incident handling Unlikely to find multiple identical incidents - many variations possible Response needs to allow for varying incidents and conditions Reports produced need to be clear and specify all pertinent facts 173 SMU Classification: Restricted IR Planning Incident response team Well trained, skilled, can make decisions Coordinate with law enforcement/ external forensics experts Clear roles and responsibilities Clear procedures Organization level System security: logging, integrity, monitoring, network IDS, etc. User training Data backup 174 SMU Classification: Restricted IR Planning Interview relevant personnel System administrators Managers End users Consider factors that determine the response Has something similar been handled before? Cost? Origin of incident? Legal issues? 175 SMU Classification: Restricted IR Procedures Triage (detection): declare incident and initiate response Investigation: collect data Containment: isolate affected computers, change configuration, disconnect system, etc. Analysis: find out the root cause Tracking: the source (internal/external) and how Recovery: recover system and implement necessary fix 176 SMU Classification: Incident Response Restricted Triage (Detection) is a critical incident response process that allows security teams to sort through a flood of alerts and potential threats to identify the most pressing issues. It involves initial screening of the reported event to determine whether it is indeed an incident and whether the incident-handling process should be initiated Detection Network traffic System availability Memory and CPU usage Disk activity Processes/applications/users Abnormal activity Modification (time, date, size) System calls 177 SMU Classification: Restricted Incident Response Incident investigation Compile information about the incident Collect data/evidence Host based data Live data Forensic duplication Network based data Logs Traces Process must ensure data integrity and adhere to policy, laws, and regulations 178 SMU Classification: Restricted Incident Response Incident Response Kit Hardware Requires higher end hardware Should enable connectivity with varying systems Disk space is critical especially for larger scale data collection Mobility is key Software Different OS versions Boot disks Software that enables viewing of all types of files Block level copy tools 179 SMU Classification: Restricted Containment** Contain the breach so it doesn’t spread and cause further damage to your business. If you can : disconnect affected devices from the Internet. have short-term and long-term containment strategies ready. have a redundant system back-up to help restore business operations. update and patch your systems. review your remote access protocols (e.g multi-factor authentication), change all user and administrative access credentials and harden all passwords. Questions to address What’s been done to contain the breach short term? What’s been done to contain the breach long term? Has any discovered malware been quarantined from the rest of the environment? What sort of backups are in place? Does your remote access require true multi-factor authentication? Have all access credentials been reviewed for legitimacy, hardened and changed? Have you applied all recent security patches and updates? 180 SMU Classification: Restricted Analysis** Cyber incident analysis refers to the carefully orchestrated process of identifying: what happened, why and how it happened and what can be done to prevent it from happening again. From a cyber incident analysis report, both the goal of the cyber- attack and the extent of damage it has caused can be determined. It is a very crucial step of cyber incident response and paves way for the other subsequent steps. 181 SMU Classification: Restricted Tracking** The process of identifying and recording incidents so that you can streamline the process and track progress. Incident management software can help with incident tracking. Every incident, big or small, must be tracked and documented : can identify Trends over time and make effective data-driven decisions. This also allows teams to not drop the ball when moving the incident through different steps. Provide contextual information that influences decision impacting Service quality and operational efficiency. Access to information that identifies, records, and outlines how an incident is managed contributes to increased reliability and user satisfaction. It also enables learning and improving systems and/or processes Helps increase visibility into the system. Tracking incident metrics like MTTD (mean time detection), MTBF (mean time between failure), and MTTR (mean time to response) helps teams understand how the system behaves under certain conditions. It also helps them analyze their team’s performance in case of an incident. 182 SMU Classification: Restricted Recovery** This is the process of restoring and returning affected systems and Devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach. Questions to address : When can systems be returned to production? Have systems been patched, hardened and tested? Can the system be restored from a trusted back-up? How long will the affected systems be monitored and what will you look for when monitoring? What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion detection/protection, etc) 183 SMU Classification: Restricted Post-Incident Activity Reporting Documentation needs to be done in a timely manner - delays should be avoided Documentation should be clear and easy to understand by all parties involved in the investigation Documentation should be standardized and templates should be derived to enhance and speed up the process of documentation Communicate to press, customers, shareholders Review/Follow-up Gather and discuss the lessons learnt Use of data Evidence retention 184 SMU Classification: Restricted Exam Date : Wednesday, 22 January 2025, Time : 1:30pm – 4:40pm 185 SMU Classification: Restricted End 186
