02_Handout_1(4).pdf

Full Transcript

IT1914

Security Concepts and Goals
Subjects and Objects of Security
Security Tactics for People, Processes, and Technology
As IT teams seek to create a layered security environment, they should consider the following tactics:
1. People – Employees can create some of the greatest risks to cybersecurity. When they are well informed,
however, they can also be an asset and the first line of defense.
Often, cybercriminals will specifically target employees as an attack vector based on their lack of
knowledge for security practices. For example, cybercriminals might target employees with phishing e-
mails to get them to click on a malicious link or divulge credentials. With this in mind, it’s imperative that
organizations conduct regular training sessions throughout the year to keep employees aware of
potential scams and how they can make their organization vulnerable.
Training programs like these will create a strong culture of cybersecurity that can go a long way toward
minimizing threats. A few of the cyber hygiene points IT teams will want to inform employees of include
the following:
Creating strong passwords that are unique to each account and not reused
Ensuring personal and work passwords are separate
Not opening or clicking links in suspicious e-mails or from unfamiliar senders
Ensuring applications and operating systems are regularly updated as soon as patches are
released
Not installing any unknown outside software, as these can open security vulnerabilities in the
network
Immediately reporting any unusual behavior or something strange happening on their
computers.

2. Processes – This layer of cybersecurity ensures that IT teams have strategies in place to proactively
prevent and to respond quickly and effectively in the event of a cybersecurity incident.
IT security teams should have a cyber-incident response plan in place. A good incident response plan will
provide an organization with repeatable procedures and an operational approach to address
cybersecurity incidents to recover business processes as quickly and efficiently as possible. Additionally,
ensuring proper backups are in place; regularly testing these backups is imperative to minimize downtime
and increase the chances of data recovery from a cyber-event.
Next are the collection and analysis of threat research. Every security strategy and tool must be informed
by current threat intelligence to detect and respond to threats effectively. For example, threat research
might reveal that cybercriminals have been carrying out attacks through a specific vulnerability, or
targeting endpoints with a specific malware. Armed with this information, IT teams can then take
proactive measures by making any necessary system updated and increasing monitoring to detect
behavior indicative of one of these attacks. It is also important that IT teams consult both local and global
threat data for the most comprehensive understanding of the threat landscape.
Another important process for achieving effective cybersecurity is the prioritization of assets. While IT
teams remain strained from a cybersecurity skills gap, networks have become increasingly sophisticated,
making it impossible to monitor each area of the network at all times manually. Security teams can
develop policies and deploy strategies to keep these data more secure and minimize consequences. This
might mean using network segmentation to add an extra level of security or creating access control
policies based on who needs access to these specific sets of data.

02 Handout 1 *Property of STI
 [email protected] Page 1 of 6
 IT1914

3. Technology – There are hosts of technologies that security teams can implement to layer their defenses.
It is important that IT teams do not implement isolated point solutions as they layer their defenses, but
rather select those tools based on their ability to be integrated and automated to create a security fabric
that can facilitate the rapid detection and mitigation of threats.
Another tactic that IT teams should leverage is deception technology. Network complexity is an Achilles
heel for adversaries. Deception technologies level the playing field by automating the creation of dynamic
decoys that are dispersed throughout the IT environment, making it harder for the adversary to
determine which assets are fake and which are real. When an adversary can’t make this distinction,
cybercriminals are forced to waste time on fake assets and exercise caution as they look for tripwires
embedded in these fake environment.

Emerging Technologies in Cybersecurity
Hardware authentication is a well-known fact that a majority of data users’ passwords and usernames are
weak. This makes it easy for hackers to get access to the information systems and compromise sensitive data
of a business entity or government agency. This has also exerted pressure on experts of systems security to
come up with more secure authentication methods. One of the ways is the development of user hardware
authentication.
Hardware authentication can be especially important when it comes to the Internet of Things (IoT) where the
network of connected devices ensures that any device that seeks to be connected has the rights for
connectivity to that particular network.

Cloud technology is set to have a significant impact on the transformation of systems security technology.
More business enterprises and government agencies have embraced cloud technology to store the vast
amounts of information that they generate daily.
There will be more approaches to information systems security that will be developed for use in the cloud.
Techniques for on-premise data storage will be migrated to the cloud. Components such as virtualized
intrusion detection and prevention systems, virtualized firewalls and virtualized systems security will now be
used from the cloud as opposed to the traditional forms.
Both private and public entities have doubled up their data center security by the use of Infrastructure as a
Service (IaaS) services such as FireHost and Amazon.

Deep learning encompasses some technologies like machine learning and artificial intelligence. There is a
significant deal of interest for systems security in these technologies. Deep learning, just like behavior
analytics, focuses on anomalous behavior. Whenever artificial intelligence and machine learning systems are
fed with the right data regarding potential systems security threats, they can make decisions on how to
prevent hacks depending on their immediate environment without any human point.
The system scrutinizes entities, instead of users, that have access to the information system. The most recent
developments in machine learning technology and exact business analytics mean that we can now analyze
different entities that are found in the enterprise at both the macro and the micro levels. Business
organizations and government agencies can now stamp out any persistent or advanced cyber threats using
artificial intelligence and machine learning.

02 Handout 1 *Property of STI
 [email protected] Page 2 of 6
 IT1914

Five (5) Types of Cybersecurity (Security rendered in the network)
Types Description Example
Critical Infrastructure This consists of the cyber-physical systems that modern Electricity grid, water
Security societies rely on. purification traffic
lights, shopping
centers, and hospitals
Application Security This is more accessible over networks, causing the Antivirus programs,
adoption of security measures during the development firewalls, and
phase to be an imperative phase of the project. encryption
Network Security This ensures that internal networks are secured by Extra logins, new
protecting the infrastructure and inhibiting access to it. passwords, and
application security
(firewalls, monitored
Internet access,
antispyware, antivirus)
Cloud Security It is a software-based security tool that protects and Software as a Service,
monitors data in cloud resources. Cloud providers are Infrastructure as a
constantly creating and implementing new security Service, private, on-site
tools to help enterprise users better secure their data. cloud, and virtualization
Internet of Things (IoT) IoT refers to a wide variety of critical and non-critical Connected security
Security cyber-physical systems like appliances, sensors, systems, thermostats,
televisions, Wi-Fi routers, printers, and security cars, electronic
cameras. appliances, and speaker
systems

Security Objectives
Security Policy
A security policy is a set of rules that applies to activities for the computer and communications resources that
belong to an organization. These rules include areas such as physical security, personnel security,
administrative security, and network security.
The security policy defines what an organization wants to protect and what it expects of its system users. It
provides a basis for security planning when designing new applications or expanding the current network. It
describes user responsibilities like protecting confidential information and creating nontrivial passwords. The
security policy should also describe how the effectiveness of security measures will be monitored. Such
monitoring helps in determining whether someone is attempting to circumvent the safeguards.
To develop a security policy, clearly define the security objectives. Afterward, take steps to put into effect the
rules it contains. These steps should include training employees and adding the necessary software and
hardware to enforce the rules. When making changes in computing environment, update the security policy
as well.

Security Objectives
When creating and carrying out a security policy, one must have clear objectives. These objectives must fall
into one (1) or more of the following categories:
Resource Protection – The resource protection scheme ensures that only authorized users can access
objects on the system. The ability to secure all types of system resources is a system strength. As such,

02 Handout 1 *Property of STI
 [email protected] Page 3 of 6
 IT1914

carefully define the different categories of users that can access the system. In addition, define what
access authorization can be given to these groups of users as part of creating security policy.
Authentication – The assurance or verification that the resource (human or machine) at the other end
of the session really is what it claims to be. Solid authentication defends a system against the security
risk of impersonation, in which a sender or receiver uses a false identity to access a system.
Traditionally, systems used passwords and usernames for authentication. Now, digital certificates can
provide a more secure method for authentication while offering other security benefits as well.
Authorization – This is an assurance that the person or computer at the other end of the session has
permission to carry out the request. Authorization is the process of determining who or what can
access the system resources or perform certain activities on a system. Typically, authorization is
performed in context application.
Integrity – This is an assurance that the arriving information is the same as what was sent out.
Understanding integrity requires understanding the concepts of data integrity and system integrity.
o Data Integrity – Data is protected from unauthorized changes or tampering. Data integrity
defends against the security risk of manipulation, or the act of intercepting and changing
information to which s/he is not authorized.
o System Integrity – The system provides consistent and expected results with expected
performance.
Nonrepudiation – This is the proof that a transaction occurred, or that a user sent or received a
message. The use of digital certificates and public key cryptography to sign transactions, messages,
and documents support nonrepudiation. Both the sender and the receiver agree that the exchange
takes place. The digital signature on the data provides the necessary proof.
Confidentiality – This is the assurance that sensitive information remains private and is not visible to
an eavesdropper. Confidentiality is critical to total data security.
Auditing Security Activities – These monitor security-relevant events to provide a log of both
successful and unsuccessful (denied) access. Successful access records tell who is doing what on the
systems. Unsuccessful (denied) access records tell either that someone is attempting to break the
security or that someone is having difficulty accessing the system.

IT Security Framework
Below are some key frameworks that are widely used in the industry.
1. National Institute of Standards and Technology (NIST) – It is a federal agency within the United States
Department of Commerce. NIST’s mission is to develop and promote measurement, standards, and
technology to enhance productivity, facilitate trade, and improve the quality of life. It also establishes IT
standards and guidelines for federal agencies. This cybersecurity framework is completely optional, but
it is designed to increase the resilience of an organization’s defenses.
The Cybersecurity Framework consists of three (3) main components:
Framework core – It provides a set of desired cybersecurity activities and outcomes using a
common language that is easy to understand.
Framework implementation tiers – These assist organizations by providing context on how an
organization views cybersecurity risk management.
Framework profiles – These are primarily used to identify and prioritize opportunities for
improving cybersecurity at an organization.

02 Handout 1 *Property of STI
 [email protected] Page 4 of 6
 IT1914

2. ISO/IEC – 27000 family – The International Organization for Standardization developed the ISO 27000
series. Because it is broad in scope, any type or size of organization can benefit from being familiar with
it and adopting its recommendations, as appropriate to an industry and business type.
ISO 27000 is a systematic approach to managing sensitive information securely (also known as the
Information Security Management System [ISMS]). It includes managing risk for people, processes, and
IT systems. This family is divided into different sub-standards—some of which apply to specific industries,
while others are specific to operational choices.
ISO 27000 includes a six-part approach:
I. Define a security policy.
II. Define the scope of the ISMS.
III. Conduct a risk assessment.
IV. Manage identified risks.
V. Select control objectives and controls to be implemented.
VI. Prepare a statement of applicability.

3. Payment Card Industry Data Security Standard (PCI DSS) – It was initiated to ensure businesses process
card payments were secure and to help reduce card fraud. This payment standard has principle
requirements, all of which are covered by these six (6) categories:
I. Build and maintain a secure network.
II. Protect card data.
III. Maintain a vulnerability program.
IV. Implement strong access control measures.
V. Regularly monitor and test networks.
VI. Maintain an Information security policy

Security Architecture
Security architecture is a unified security design that addresses the necessities and potential risks involved in
a particular scenario or environment. It also specifies when and where to apply security controls. The design
process is generally reproducible.
In security architecture, the design principles are clearly reported and in-depth security control specifications
are generally documented in independent documents. A system architecture can be considered a design that
includes a structure and can address the connection between the components of that structure.
The key attributes of security architecture are as follows:
Relationships and Dependencies – These signify the relationship between the various components
inside IT architecture and how they depend on each other.
Benefits – Security architecture’s main advantage is its standardization, which makes it affordable. It
is cost-effective due to the re-use of controls described in the architecture.
Form – Security architecture is associated with IT architecture; however, it may take a variety of forms.
It includes a catalog of conventional controls in addition to relationship diagrams and principles.
Drivers – Security controls are determined based on these four (4) factors:
o Risk management
o Benchmarking and good practice
o Financial
o Legal and regulatory

02 Handout 1 *Property of STI
 [email protected] Page 5 of 6
 IT1914

The key phases in the security architecture process are as follows:
Architecture Risk Assessment – This evaluates the business influence of vital business assets and the
odds and effects of vulnerabilities and security threats.
Security Architecture and Design – This is the design and architecture of security services, which
facilitate business risk exposure objectives.
Implementation – Security services and processes are implemented, operated and controlled.
Assurance services are designed to ensure that the security policy and standards, security architecture
decisions, and risk management are mirrored in the real runtime implementation.
Operations and Monitoring – These are the day by day processes, such as threat and vulnerability
management and threat management. Measures are taken to supervise and handle the operational
state in addition to the depth and breadth of the systems security.

References:
IBM Knowledge Center. (n.d.). Security policy and objectives [Web log post]. Retrieved from
https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzaj4/rzaj40j0securitypolco.htm on April 26,
2019
Mind-core.com (2018, September 5). 5 types of cyber security [Web log post]. Retrieved from https://mind-core.com/5-
types-of-cyber-security/ on May 3, 2019
Security Architecture (n.d.). In Techopedia. Retrieved from https://www.techopedia.com/definition/72/security-
architecture on April 26, 2019
Tarun, R. (2018, December 10). A layered approach to cybersecurity: People, Processes, and Technology [Web log post].
Retrieved from https://www.csoonline.com/article/3326301/a-layered-approach-to-cybersecurity-people-
processes-and-technology.html on April 24, 2019
Theriault, C. (2019, March 28). What is an information security framework and why do I need one? [Web log post].
Retrieved from https://tbgsecurity.com/what-is-an-information-security-framework-and-why-do-i-need-one/ on
April 26, 2019
Tripwire.com (2018, March 25). 3 emerging innovations in technology that will impact cyber security [Web log post].
Retrieved from https://www.tripwire.com/state-of-security/featured/emerging-technology-cyber-security/ on
April 25, 2019

02 Handout 1 *Property of STI
 [email protected] Page 6 of 6