CCF-Session-1-v4-Regular-2023-lec-clsu-1.pdf

Full Transcript

Introduction to
Fundamentals of
Information Security
Refers to new measures, policies
or protocols that have an effect on
the attitude and behavior of people
in the field of public health after the
Covid-19 pandemic.
Internet Evolution

(APNIC)
 Imperva

https://www.imperva.com/resources/resource-library/reports/2021-cyberthreat-defense-report/
What does means for us?
Motivation
There are important ways
you can protect yourself and
your organization.

But first
“It is vital to understand the
major methods cyber
criminals use to accomplish
attacks! “
Types of Hackers and what they do

Grey hat exploit networks
Black-hat hacker is White-hat hacker,
and computer systems in
an individual who on the other hand,
the way that black hats
attempts to gain are deemed to be the
do, but do so without any
unauthorized entry good guys, working
malicious intent,
into a system or with organizations to
disclosing all loopholes
network to exploit strengthen the
and vulnerabilities to law
them for malicious security of a system
enforcement agencies or
reasons.
intelligence agencies.
 Attack Motivation

Source: NANOG60 keynote presentation by Jeff Moss, Feb 2014
Attack Motivation
Attack Motivation
Joy Hacks

APNIC
Opportunistic Hacks

APNIC
Targeted Attack

APNIC
 Advanced Persistent Threats (APT)
Highly skilled (well funded) - specific targets – Mostly 0-days
Sometimes (not always) working for a nation-state
An attack in which an unauthorized user gains access to a
system or network and remains there for an extended period of
time without being detected.

Note: many lesser attacks blamed on APTs

APNIC
Attack Vector
vs
Attack Surface
 Attack Surface
What is an Attack Surface?
represented by all of the points on your network where an adversary can
attempt to gain entry to your information systems.
 Attack Vectors

What is an Attack Vector?

Attack vectors are the methods that adversaries use to breach or
infiltrate your network.
 Major Attack Vectors

1.Social Engineering: Phishing
2.Remote Access
3.Insider Threats
4.Brute-Force Attacks
5.Ransomware
6.Denial of Service
7.Access through Intermediaries
Social Engineering: Phishing
Remote Access
Insider Threats
 Brute force Attacks
A brute force attack, also known as an exhaustive search, is a
cryptographic hack that relies on guessing possible combinations of a
targeted password until the correct password is discovered.
Ransomware
 Denial of Service
A distributed denial-of-service (DDoS) attack is a malicious attempt to
disrupt the normal traffic of a targeted server, service or network by
overwhelming the target or its surrounding infrastructure with a flood of
Internet traffic.
Access through Intermediaries
Send your question
Is there any Differences?
 CIA TRIAD

The CIA triad is a
common, respected
model that forms the
basis for the
development of security
systems and policies.
 CIA TRIAD

Information
Security (InfoSec)
Information Security
(InfoSec) is preservation of
confidentiality, integrity and
availability of information.

Cyber Security
Defined as the “preservation
of confidentiality, integrity and
availability of information in the
Cyberspace.”
CIA objectives

To achieve the CIA objectives organizations
must protect two aspects or their IT
environment: application security and data
security.
 Critical Infrastructure
Critical
Infrastructure is the
body of systems, networks
and assets that are so
essential that their
continued operation is
required to ensure the
security of a given nation,
its economy, and the
public’s health and/or
safety.

The United States recognizes 16 distinct sectors of critical infrastructure, which are systems that are
considered crucial to national economic security and national public health.
Critical Infrastructure

Information
technology is
the fundamental
sector on which
all others depend.
 Recent Major Cyber Incidents involving
Critical Infrastructure

CERT-PH | Cybersecurity Bureau
 Critical Infrastructure
“Mr Blount also told
Senators the decision to
pay a $4.4m (£3.1m)
ransom to hackers in
Bitcoin was the "hardest
decision" in his career.

https://www.bbc.com/news/business-57050690
Send your question
 Recent Major Cyber Incidents involving
DATA Breach

CERT-PH | Cybersecurity Bureau
The Equifax data breach occurred between May and
July 2017 at the American credit bureau Equifax.
Private records of 147.9 million Americans along with
15.2 million British citizens and about 19,000
Canadian citizens were compromised in the breach,
making it one of the largest cybercrimes related to
identity theft.
Philippines Response to Cyber Security Threats

R.A. 10175
Cybercrime Prevention Act of 2012
R.A. 10173
Data Privacy Act of 2012
 What are the look up references for the cyber crime and
data privacy risks that must be mitigated?

R.A. 10175 An act defining cybercrime, providing for the prevention,
Cybercrime Prevention Act investigation, suppression and the imposition of penalties therefore
of 2012
and for other purposes

R.A. 10173 An act protecting individual personal information in information and
Data Privacy Act of 2012 communication systems in the government and the private sector,
creating for this purpose a National Privacy Commission, and for
other purposes.
 R.A. 10175
Cybercrime Prevention Act of 2012

1. It is offense against the confidentiality, integrity and availability of
computer data and systems.
1.1 Illegal Access. Access to the whole or any part of a computer system without right
1.2 Illegal Interception Interception made by technical means without right
1.3 Data Interference. Intentional or reckless alteration, damaging, deletion of computer data
1.4 System Interference Intentional alteration or reckless interference with the functioning of a computer or
computer network
1.5 Misuse of Devices Use, production, sale, procurement, importation, distribution, or otherwise making
available, without right
1.6 Cyber Squatting Acquisition of a domain name over the internet in bad faith to profit, mislead, destroy
reputation, and deprive others from registering the same
R.A. 10175
Cybercrime Prevention Act of 2012

2. It is offense related with the use of computer.
2.1 Forgery Input, alteration, or deletion of any computer data without right resulting in
inauthentic data with the intent that it be considered or acted upon for legal
purposes as if it were authentic
2.2 Fraud Unauthorized input, alteration, or deletion of computer data or program or
interference in the functioning of a computer system, causing damage thereby
with fraudulent intent
2.3 Identity Theft Intentional acquisition, use, misuse, transfer, possession, alteration or
deletion of identifying information belonging to another, whether natural or
juridical, without right.
R.A. 10175
Cybercrime Prevention Act of 2012

3. It is offense related to creation and sharing of content.
3.1 Cybersex Willful engagement, maintenance, control, or operation, directly or indirectly,
of any lascivious exhibition of sexual organs or sexual activity, with the aid of
a computer system
3.2 Child Pornography Unlawful or prohibited acts defined and punishable by Republic Act No. 9775 or
the Anti-Child Pornography Act of 2009, committed through a computer
system
3.3 Libel Unlawful or prohibited acts of libel as defined in Article 355 of the Revised
Penal Code, as amended, committed through a computer system
Data Privacy vs Right to Privacy
 Data Privacy Violation

Ø Privacy violation is illegal or unwanted act that endangers the privacy rights of a person and
security of personal data.
Ø Data privacy violation is penalized act according to R.A. 10173 Chapter VIII. The complaint
can be made through the use of NPC Complaint-Assisted Form.
Section 25 Unauthorized processing Section 30 Concealment of breach
Section 26 Negligence in access Section 31 Malicious disclosure
Section 27 Improper disposal Section 32 Unauthorized disclosure
Section 28 Unauthorized purpose Section 33 Combination of acts
Section 29 Unauthorized access or
intentional breach
 Data Privacy Violation

1. Unauthorized processing It is when personal information is processed without the
3-6 years imprisonment consent of the data subject, or without being authorized
500K-4M penalty
using lawful criteria
2. Negligence in access It is when personal information is made accessible due to
1-6 years imprisonment negligence and without being authorized by any existing
500K-4M penalty
law.
 Data Privacy Violation

3. Improper disposal It is when personal information is knowingly or
6 mos-3 years imprisonment negligently disposed, discard, or abandon in an area
100K-1M penalty
accessible to the public or has otherwise placed the
personal information of an individual in any container for
trash collection
4. Unauthorized purpose It is when personal information is processed for
1-7 years imprisonment purposes not authorized by the data subject, or
500K-2M penalty otherwise authorized by any existing laws.
 Data Privacy Violation

5. Unauthorized access It is when an individual handling personal information knowingly
or intentional breach and unlawfully, or violating data confidentiality and security
1-3 years imprisonment data systems, breaks in any way into any system where
500K-2M penalty
personal and sensitive personal information are stored.

6. Concealed breach It is when an individual or entity who has knowledge of a
1-5 years imprisonment security breach and of the obligation to notify the Commission
500K-1M penalty
pursuant to Section 20(f) of the Act, intentionally or by
omission conceals the fact of such security breach.
 Data Privacy Violation

7. Malicious disclosure It is when an individual or entity with malice or in bad
1-65years imprisonment faith, discloses unwarranted or false information relative
500K-1M penalty
to any personal information or sensitive personal
information obtained by him or her
8. Unauthorized disclosure It is when an individual or entity discloses to third party
1-5 years imprisonment personal information not covered by legitimate purpose,
500K-2M penalty
lawful criteria, and without the consent of the data
subject.
“Innocent of the law excuses no one.”
Send your question

Email:

[email protected]
[email protected]