The Need For Cybersecurity.pdf

Full Transcript

The Need For
Cybersecurity
Course: CYB105
Instructor –Stacy Nicholson

This Photo by Unknown Author is licensed under CC BY-NC
 Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

▪ Explain cybersecurity and its effect on ▪ Cybersecurity concepts
people and businesses.
▪ Information systems security concepts
▪ Confidentiality, integrity, and availability
(C-I-A)
▪ The seven domains of an IT
infrastructure
▪ The weakest link in the security of an IT
infrastructure
▪ IT security policy framework and data
classification standard
What is Cybersecurity?

▪ The body of technologies, processes, and
practices, designed to protect networks, devices,
programs, and data from attack, damage or
unauthorized access.1

▪ Cybersecurity covers preventative strategies
applied to protect information from being stolen,
compromised or attacked.2

Source1- Digital Guardian
Source2- Cybersecurity Fundamental textbook
Motivation behind Cybercrimes

▪ Financial gain
▪ Data is valuable
▪ Political gain
▪ Exploit Systems
▪ Taking technical challenge
▪ Seeking new knowledge
▪ Damage a business or individuals This Photo by Unknown Author is licensed under CC BY-SA

▪ Etc.
Need for Cybersecurity

▪ Major concerns for the entire world
▪ Cybercrimes are rising
▪ Businesses and individuals face cybersecurity threats
▪ Your data is valuable
▪ Threaten by criminals, hackers and terrorists – they perform malicious
activities – e.g., data and identity theft, DOS attack, unauthorized access,
financial frauds , etc.
▪ IoT devices and mobile phones exploited.
▪ Applications Software
▪ Etc.
Cybersecurity Cont.

▪ Internet of Things (IoT) connects personal devices, home devices, and vehicles to
the Internet
▪ More data to steal
▪ Cybersecurity is duty of every government that wants to ensure its national security
▪ Data security is the responsibility of every organization that needs to protect its
information assets and sensitive data

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
IoT

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Cyberspace: The New Frontier

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Data versus Information

▪ Data ▪ Information
▪ Refers to unprocessed facts ▪ Refers to processed data that give
meaningful results to the user.
▪ Contains numbers, letters,
characters and multimedia ▪ Processed information can be stored
in some context for its intended
objects.
receiver(s).

▪ Data is used as input for
computer system to generate
information.

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Risks, Threats, and Vulnerabilities

▪ Risk
▪ The level of exposure to some event that has an effect on an asset

▪ Threat
▪ Any action, either natural or human induced, that could damage an asset

▪ Vulnerability
▪ A weakness that allows a threat to be realized or to have an effect on an asset

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
What Is Information Systems Security?

▪ Information system
▪ Hardware, operating system, and application software that work together to collect, process, and store
data for individuals and organizations

▪ Security
▪ Being free from danger or risk

▪ Information systems security
▪ The collection of activities that protect the information system and the data stored in it

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
What Are We Securing?

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company.
www.jblearning.com.
Compliance Laws and Regulations Drive the Need for
Information Systems Security

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Tenets of Information Security

▪ Confidentiality
▪ Only authorized users can view information

▪ Integrity
▪ Only authorized users can change information

▪ Availability
▪ Information is accessible by authorized users whenever they request the information

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Confidentiality (1 of 2)

Confidential information includes:
▪ Private data of individuals
▪ Intellectual property of businesses
▪ National security for countries and governments

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Confidentiality (2 of 2)

▪ Cryptography
▪ Practice of hiding data and keeping it away from unauthorized users

▪ Encryption
▪ The process of transforming data from cleartext into ciphertext

▪ Ciphertext
▪ The scrambled data that results from encrypting cleartext

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Encryption of Cleartext into Ciphertext

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
 Integrity

▪ Maintain valid and
accurate information

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Availability

▪ In the context of information security
▪ The amount of time users can use a system, application, and data

▪ Availability Time Measurements
▪ Uptime
▪ Downtime
▪ Availability [A = (Total Uptime)/(Total Uptime + Total Downtime)]
▪ Mean time to failure (MTTF)
▪ Mean time to repair (MTTR)
▪ Mean time between failures (MTBF)
▪ Recovery point objective (RPO)
▪ Recovery time objective (RTO)
copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Seven Domains of a Typical IT Infrastructure

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
User Domain

▪ Roles and tasks
▪ Users can access systems, applications, and data depending upon their defined access rights

▪ Responsibilities
▪ Employees are responsible for their use of IT assets

▪ Accountability
▪ Human resources department is accountable for implementing proper employee background checks

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Common Threats in the User Domain

▪ Unauthorized access ▪ User destroying systems, applications,
and data
▪ Lack of user awareness
▪ Disgruntled employee attacking
▪ User apathy toward policies organization or committing sabotage
▪ Security policy violations ▪ Employee romance gone bad
▪ User inserting CD/DVD/USB with ▪ Employee blackmail or extortion
personal files
▪ User downloading photos, music, or
videos

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Workstation Domain

▪ Roles and tasks
▪ Configure hardware, harden systems, and verify antivirus files

▪ Responsibilities
▪ Ensure the integrity of user workstations and data

▪ Accountability
▪ Ensure that the Workstation Domain conforms to policy

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Common Threats in the Workstation Domain

▪ Unauthorized workstation access
▪ Unauthorized access to systems, applications, and data
▪ Desktop or laptop operating system and software vulnerabilities
▪ Desktop or laptop application software vulnerabilities and patches
▪ Viruses, malicious code, and other malware
▪ User inserting CD/DVD/USB with personal files
▪ User downloading photos, music, or videos
▪ Security risk due to user violation of acceptable use policy (AUP)
▪ Bring Your Own Device (BYOD)

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Local Area Network (LAN) Domain

▪ Consist of two or more computers in a relatively small coverage area like a single
office, building, and campus.
▪ Roles and tasks
▪ Includes both physical network components and logical configuration of services for users

▪ Responsibilities
▪ Physical components and logical elements

▪ Accountability
▪ Maximize use and integrity of data within the local area network (LAN) Domain

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Common Threats in the LAN Domain

▪ Unauthorized access to LAN
▪ Unauthorized access to systems, applications, and data
▪ LAN server operating system software vulnerabilities
▪ LAN server application software vulnerabilities and software patch updates
▪ Unauthorized access by rogue users on wireless LANs (WLANs)
▪ Compromised confidentiality of data on WLANs
▪ LAN servers with different hardware, operating systems, and software make them
difficult to manage and troubleshoot

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
LAN-to-WAN Domain

▪ Roles and tasks
▪ Includes both the physical pieces and logical design of security appliances; physical parts need to
be managed to give easy access to the service

▪ Responsibilities
▪ Physical components, logical elements, and applying the defined security controls

▪ Accountability
▪ Ensure that LAN-to-Wide Area Network (WAN) Domain security policies, standards, procedures, and
guidelines are used

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
 Common Threats in the LAN-to-WAN Domain

▪ Unauthorized network probing and port scanning
▪ Unauthorized access through the LAN-to-WAN Domain
▪ Denial of service (DoS)/distributed denial of service (DDoS) attacks
▪ IP router, firewall, and network appliance operating system vulnerability
▪ IP router, firewall, and network appliance configuration file errors or weaknesses
▪ Remote user download of sensitive data
▪ Download of unknown file type attachments from unknown sources
▪ Unknown email attachments and embedded URL links received by local users
▪ Lost productivity due to local users surfing the web

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Wide Area Network (WAN) Domain

▪ Connects computers to a larger geographical area.
▪ Roles and tasks
▪ Allow users the most access possible while making sure what goes in and out is safe

▪ Responsibilities
▪ Physical components and logical elements

▪ Accountability
▪ Maintain, update, and provide technical support and ensure that the company meets security
policies, standards, procedures, and guidelines

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Common Threats in the WAN Domain (Internet)

▪ Open, public, and accessible data
▪ Most Internet traffic sent as cleartext
▪ Vulnerable to eavesdropping
▪ Vulnerable to malicious attacks
▪ Vulnerable to DoS and DDoS attacks, TCP synchronize (SYN) flooding, and IP
spoofing attacks
▪ Vulnerable to corruption of information/data
▪ Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications
▪ Hackers, attackers, and perpetrators email Trojans, worms, and malicious software

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Common Threats in the WAN Domain (Connectivity)

▪ Commingling of WAN IP traffic on the same service provider router and
infrastructure
▪ Maintaining high WAN service availability
▪ Maximizing WAN performance and throughput
▪ Using Simple Network Management Protocol (SNMP) applications and protocols
maliciously (ICMP, Telnet, SNMP, DNS, etc.)
▪ SNMP alarms and security monitoring 24/7/365

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Remote Access Domain

▪ Roles and tasks
▪ Connect mobile users to their IT systems through the public Internet

▪ Responsibilities
▪ Maintain, update, and troubleshoot the hardware and logical remote access connection

▪ Accountability
▪ Ensure that the Remote Access Domain security plans, standards, methods, and guidelines are used

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Common Threats in the Remote Access Domain

▪ Brute-force user ID and password attacks
▪ Multiple logon retries and access control attacks
▪ Unauthorized remote access to IT systems, applications, and data
▪ Private or confidential data compromised remotely
▪ Data leakage in violation of data classification standards
▪ A mobile worker’s laptop is stolen
▪ Mobile worker token or other authentication stolen

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
System/Application Domain

▪ Roles and tasks
▪ Includes hardware, operating system software, applications, and data and includes logical design
▪ Secure mission-critical applications and intellectual property assets both physically and logically

▪ Responsibilities
▪ Server systems administration, database design and management, designing access rights to
systems and applications, and more

▪ Accountability
▪ Ensure that the System/Application Domain is in compliance with security policies, standards,
procedures, and guidelines

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Common Threats in the System/Application Domain

▪ Unauthorized access to data centers, ▪ Unauthorized access to systems
computer rooms, and wiring closets
▪ Data breach where private data is
▪ Downtime of servers to perform compromised
maintenance
▪ Corrupt or lost data
▪ Server operating systems software
vulnerability ▪ Loss of backed-up data as backup
media are reused
▪ Insecure cloud computing virtual
environments by default ▪ Recovery of critical business functions
potentially too time consuming to be
▪ Susceptibility of client-server and web useful
applications
▪ Downtime of IT systems for an extended
period after a disaster

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Weakest Link in the Security of an IT Infrastructure

▪ Humans are the weakest link in security
▪ Strategies for reducing risk:
▪ Check background of job candidates carefully
▪ Evaluate staff regularly
▪ Rotate access to sensitive systems, applications, and data among staff positions
▪ Test applications and software and review for quality
▪ Regularly review security plans
▪ Perform annual security control audits
▪ Etc.

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Ethics and the Internet

▪ Human behavior online is often less mature than in normal social settings
▪ Demand for systems security professionals is growing rapidly
▪ U.S. government and Internet Architecture Board (IAB) defined a policy regarding
acceptable use of Internet geared toward U.S. citizens
▪ Policy is not a law nor mandated

▪ Systems security professionals are responsible for is doing what is right and
stopping what is wrong

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
IT Security Policy Framework

▪ Policy
▪ A short written statement that defines a course of action that applies to entire organization

▪ Standard
▪ A detailed written definition of how software and hardware are to be used

▪ Procedures
▪ Written instructions for how to use policies and standards

▪ Guidelines
▪ Suggested course of action for using policy, standard, or procedure

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Hierarchical IT Security Policy Framework

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Foundational IT Security Policies

▪ Acceptable use policy (AUP)
▪ Security awareness policy
▪ Asset classification policy
▪ Asset protection policy
▪ Asset management policy
▪ Vulnerability assessment/management policy
▪ Threat assessment and monitoring policy

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Data Classification Standards (1 of 2)

▪ Private data
▪ Data about people that must be kept private

▪ Confidential
▪ Information or data owned by the organization

▪ Internal use only
▪ Information or data shared internally by an organization

▪ Public domain data
▪ Information or data shared with the public

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Data Classification Standards (2 of 2)

U.S. federal government data classification standards:

▪ Top secret
▪ Applies to information that the classifying authority finds would cause grave damage to national security
if it were disclosed

▪ Secret
▪ Applies to information that the classifying authority finds would cause serious damage to national
security if it were disclosed

▪ Confidential
▪ Applies to information that the classifying authority finds would cause damage to national security

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Summary

▪ Cybersecurity concepts
▪ Information systems security concepts
▪ Confidentiality, integrity, and availability (C-I-A)
▪ The seven domains of a typical IT infrastructure
▪ The weakest link in the security of an IT infrastructure
▪ IT security policy framework and data classification standards

copyright@2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.