Week 1 Introduction: The Danger (CS 6353) Network and System Security PDF

CS 6353. Network and System Security Dr Rajkumar Banoth Associate Professor of Instruction The University of Texas at San Antonio Department of Computer Science Office: NPB 3.204 The Danger Module Objectives Module Title: The Danger Module Objective: Explain why networks and data are attacked. Topic Title Topic Objective War Stories Explain why networks and data are attacked. Threat Actors Explain the motivations of the threat actors behind specific security incidents. Threat Impact Explain the potential impact of network security attacks. War Stories The Danger Hijacked People Hackers can set up open “rogue” wireless hotspots posing as a genuine wireless network. Rogue wireless hotspots are also known as “evil twin” hotspots. The Danger Ransomed Companies Employees of an organization are often lured into opening attachments that install ransomware on the employees’ computers. This ransomware, when installed, begins the process of gathering and encrypting corporate data. The goal of the attackers is financial gain, because they hold the company’s data for ransom until they are paid. The Danger Targeted Nations Some of today’s malware is so sophisticated and expensive to create that security experts believe only a nation state or group of nations could possibly have the influence and funding to create it. Such malware can be targeted to attack a nation’s vulnerable infrastructure, such as the water system or power grid. One such malware was the Stuxnet worm that infected USB drives and infiltrated Windows operating systems. It then targeted Step 7 software that was developed by Siemens for their Programmable Logic Controllers (PLCs). The Danger Lab - Installing the Virtual Machine In this lab, you will complete the following objectives: Install VirtualBox on your personal computer Download and install the CyberOps Workstation Virtual Machine (VM). Threat Actors Threat Actors Threat Actors Threat actors are individuals or groups of individuals who perform cyberattacks. They include, but are not limited to: Amateurs Hacktivists Organized crime groups State-sponsored groups Terrorist groups Cyberattacks are intentional malicious acts meant to negatively impact another individual or organization. Threat Actors Threat Actors (Contd.) Amateurs Hacktivists Financial Gain Trade Secrets and They are also known These are hackers who Much of the hacking Global Politics as script kiddies and publicly protest against activity that At times, nation states have little or no skill. a variety of political and consistently threatens hack other countries, or They often use social ideas. our security is interfere with their existing tools or They post articles and motivated by financial internal politics. instructions found on videos, leaking gain. Often, they may be the internet to launch sensitive information, Cybercriminals want to interested in using attacks. and disrupting web gain access to bank cyberspace for Even though they services with accounts, personal industrial espionage. use basic tools, the illegitimate traffic in data, and anything else The theft of intellectual results can still be Distributed Denial of they can leverage to property can give a devastating. Service (DDoS) generate cash flow. country a significant attacks. advantage in international trade. Threat Actors How Secure is the Internet of Things? The Internet of Things (IoT) helps individuals connect things to improve their quality of life. Many devices on the internet are not updated with the latest firmware. Some older devices were not even developed to be updated with patches. These two situations create opportunity for threat actors and security risks for the owners of these devices. Threat Impact Threat Impact PII, PHI, and PSI Personally Identifiable Information (PII) is any information that can be used to positively identify an individual, for example, name, social security number, birthdate, credit card numbers etc. Cybercriminals aim to obtain these lists of PII that can then be sold on the dark web. Stolen PII can be used to create fake financial accounts, such as credit cards and short-term loans. The medical community creates and maintains Electronic Medical Records (EMRs) that contain Protected Health Information (PHI), a subset of PII. Personal Security Information (PSI), another type of PII, includes usernames, passwords, and other security-related information that individuals use to access information or services on the network. Threat Impact Lost Competitive Advantage The loss of intellectual property to competitors is a serious concern. An additional major concern is the loss of trust that comes when a company is unable to protect its customers’ personal data. The loss of competitive advantage may come from this loss of trust rather than another company or country stealing trade secrets. Threat Impact Politics and National Security It is not just businesses that get hacked. State-supported hacker warriors can cause disruption and destruction of vital services and resources within an enemy nation. The internet has become essential as a medium for commercial and financial activities. Disruption of these activities can devastate a nation’s economy. Threat Impact Lab - Visualizing the Black Hats In this lab, you will research and analyze cybersecurity incidents to create scenarios highlighting how organizations can prevent or mitigate an attack. The Danger Summary The Danger Summary What Did I Learn in this Module? Threat actors can hijack banking sessions and other personal information by using “evil twin” hotspots. Threat actors include, but are not limited to, amateurs, hacktivists, organized crime groups, state sponsored, and terrorist groups. As the Internet of Things (IoT) expands, webcams, routers, and other devices in our homes are also under attack. Personally Identifiable Information (PII) is any information that can be used to positively identify an individual. The medical community creates and maintains Electronic Medical Records (EMRs) that contain Protected Health Information (PHI), a subset of PII. Personal Security Information (PSI) includes usernames, passwords, and other security- related information that individuals use to access information or services on the network. Fighters in the War Against Cybercrime Module Objectives Module Title: Fighters in the War Against Cybercrime Module Objective: Explain how to prepare for a career in cybersecurity operations. Topic Title Topic Objective The Modern Security Operations Centre Explain the mission of the Security Operations Center (SOC). Becoming a Defender Describe resources available to prepare for a career in cybersecurity operations. Fighters in the War Against Cybercrime Elements of a SOC To use a formalized, structured, and disciplined approach for defending against cyber threats, organizations typically use the services of professionals from a Security Operations Center (SOC). SOCs provide a broad range of services, from monitoring and management, to comprehensive threat solutions and customized hosted security. SOCs can be wholly in-house, owned and operated by a business, or elements of a SOC can be contracted out to security vendors, such as Cisco’s Managed Security Services. Fighters in the War Against Cybercrime People in the SOC SOCs assign job roles by tiers, according to the expertise and responsibilities required for each. Tiers Responsibilities Tier 1 Alert Analyst Monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary. Tier 2 Incident Responder Responsible for deep investigation of incidents and advise remediation or action to be taken. Tier 3 Threat Hunter Experts in network, endpoint, threat intelligence, malware reverse engineering and tracing the processes of the malware to determine its impact and how it can be removed. They are also deeply involved in hunting for potential threats and implementing threat detection tools. Threat hunters search for cyber threats that are present in the network but have not yet been detected. SOC Manager Manages all the resources of the SOC and serves as the point of contact for the larger organization or customer. Fighters in the War Against Cybercrime People in the SOC (Contd.) First tier jobs are more entry level, while third tier jobs require extensive expertise. The figure, which is originally from the SANS Institute, graphically represents how these roles interact with each other. Fighters in the War Against Cybercrime Process in the SOC A Cybersecurity Analyst is required to monitor security alert queues and investigate the assigned alerts. A ticketing system is used to assign these alerts to the analyst’s queue. The software that generates the alerts can trigger false alarms. The analyst, therefore, needs to verify that an assigned alert represents a true security incident. When this verification is established, the incident can be forwarded to investigators or other security personnel to be acted upon. Otherwise, the alert is dismissed as a false alarm. If a ticket cannot be resolved, the Cybersecurity Analyst forwards the ticket to a Tier 2 Incident Responder for deeper investigation and remediation. If the Incident Responder cannot resolve the ticket, it is forwarded it to a Tier 3 personnel. Fighters in the War Against Cybercrime Technologies in the SOC: SIEM An SOC needs a Security Information and Event Management (SIEM) system to understand the data that firewalls, network appliances, intrusion detection systems, and other devices generate. SIEM systems collect and filter data, and detect, classify, analyze and investigate threats. They may also manage resources to implement preventive measures and address future threats. Fighters in the War Against Cybercrime Technologies in the SOC: SOAR SIEM and Security Orchestration, Automation and Response (SOAR) are often paired together as they have capabilities that complement each other. Large security operations (SecOps) teams use both technologies to optimize their SOC. SOAR platforms are similar to SIEMs as they aggregate, correlate, and analyze alerts. In addition, SOAR technology integrate threat intelligence and automate incident investigation and response workflows based on playbooks developed by the security team. Fighters in the War Against Cybercrime Technologies in the SOC: SOAR (Contd.) SOAR security platforms: Gather alarm data from each component of the system. Provide tools that enable cases to be researched, assessed, and investigated. Emphasize integration as a means of automating complex incident response workflows that enable more rapid response and adaptive defense strategies. Include pre-defined playbooks that enable automatic response to specific threats. Playbooks can be initiated automatically based on predefined rules or may be triggered by security personnel. Fighters in the War Against Cybercrime SOC Metrics Whether internal to an organization or providing services to multiple organizations, it is important to understand how well the SOC is functioning, so that improvements can be made to the people, processes, and technologies that comprise the SOC. Many metrics or Key Performance Indicators (KPI) can be devised to measure different aspects of SOC performance. However, five metrics are commonly used as SOC metrics by SOC managers. Metrics Definition Dwell Time The length of time that threat actors have access to a network before they are detected, and their access is stopped Mean Time to The average time that it takes for the SOC personnel to identify valid security Detect (MTTD) incidents have occurred in the network Mean Time to The average time it takes to stop and remediate a security incident Respond (MTTR) Mean Time to The time required to stop the incident from causing further damage to systems or data Contain (MTTC) Time to Control The time required to stop the spread of malware in the network Fighters in the War Against Cybercrime Enterprise and Managed Security For medium and large networks, the organization will benefit from implementing an enterprise-level SOC, which is a complete in-house solution. Larger organizations may outsource at least a part of the SOC operations to a security solutions provider. Cisco offers a wide range of incident response, preparedness, and management capabilities including: Cisco Smart Net Total Care Service for Rapid Problem Resolution Cisco Product Security Incident Response Team (PSIRT) Cisco Computer Security Incident Response Team (CSIRT) Cisco Managed Services Cisco Tactical Operations (TacOps) Cisco’s Safety and Physical Security Program Fighters in the War Against Cybercrime Security vs. Availability Security personnel understand that for the organization to accomplish its priorities, network availability must be preserved. Each business or industry has a limited tolerance for network downtime. That tolerance is usually based upon a comparison of the cost of the downtime in relation to the cost of ensuring against downtime. Security cannot be so strong that it interferes with the needs of employees or business functions. It is always a tradeoff between strong security and permitting efficient business functioning. Becoming a Defender Becoming a Defender Certifications A variety of cybersecurity certifications that are relevant to careers in SOCs are available: Cisco Certified CyberOps Associate CompTIA Cybersecurity Analyst Certification (ISC)² Information Security Certifications Global Information Assurance Certification (GIAC) Search for “cybersecurity certifications” on the Internet to know more about other vendor and vendor-neutral certifications. Becoming a Defender Further Education Degrees: When considering a career in the cybersecurity field, one should seriously consider pursuing a technical degree or bachelor’s degree in computer science, electrical engineering, information technology, or information security. Python Programming: Computer programming is an essential skill for anyone who wishes to pursue a career in cybersecurity. If you have never learned how to program, then Python might be the first language to learn. Linux Skills: Linux is widely used in SOCs and other networking and security environments. Linux skills are a valuable addition to your skillset as you work to develop a career in cybersecurity. Becoming a Defender Sources of Career Information A variety of websites and mobile applications advertise information technology jobs. Each site targets a variety of job applicants and provides different tools for candidates to research their ideal job position. Many sites are job site aggregators that gather listings from other job boards and company career sites and display them in a single location. Indeed.com CareerBuilder.com USAJobs.gov Glassdoor LinkedIn Becoming a Defender Getting Experience Internships: Internships are an excellent method for entering the cybersecurity field. Sometimes, internships turn into an offer of full time employment. However, even a temporary internship allows you the opportunity to gain experience in the inner workings of a cybersecurity organization Scholarships and Awards: To help close the security skills gap, organizations like Cisco and INFOSEC have introduced scholarship and awards programs. Temporary Agencies: Many organizations use temporary agencies to fill job openings for the first 90 days. If the employee is a good match, the organization may convert the employee to a full-time, permanent position. Your First Job: If you have no experience in the cybersecurity field, working for a call center or support desk may be your first step into gaining the experience you need to move ahead in your career. Becoming a Defender Lab – Becoming a Defender In this lab, you will research and analyze what it takes to become a network defender. Fighters in the War Against Cybercrime Summary Fighters in the War Against Cybercrime Summary What Did I Learn in this Module? Major elements of the SOC include people, processes, and technologies. The job roles include a Tier 1 Alert Analyst, a Tier 2 Incident Responder, a Tier 3 Threat hunter, and an SOC Manager. A Tier 1 Analyst monitors incidents, open tickets, and performs basic threat mitigation. SEIM systems are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats. SOAR integrates threat intelligence and automates incident investigation and response workflows based on playbooks developed by the security team. KPIs are devised to measure different aspects of SOC performance. Common metrics include Dwell Time, Meant Time to Detect (MTTD), Mean Time to Respond (MTTR), Mean Time to Contain (MTTC), and Time to Control. Fighters in the War Against Cybercrime Summary What Did I Learn in this Module? (Contd.) There must be a balance between security and availability of the networks. Security cannot be so strong that it interferes with employees or business functions. A variety of cybersecurity certifications that are relevant to careers in SOCs are available from different organizations. Acknowledgment  These slides are partially based on the lecture notes from Marwadi University Netacad.

Week 1 Introduction: The Danger (CS 6353) Network and System Security PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue