Академический Документы
Профессиональный Документы
Культура Документы
Introduction
WEEK 1
Not every data can be an information. Data can be called as information when it is
interpreted in a context and given meaning. For example, “14041989″ is data. And if
we know that this is date of birth of a person, then it is information. So, Information
means data which has some meaning. Information security is all about protecting the
information, which generally focus on the confidentiality, integrity, availability
(CIA).
Going by these definition, cyber security is all about security of anything in cyber
realm, while information security is all about security of information regardless of the
realm. So, from these definitions, one can think that information security is super set
of cyber security.
The CIA Triad - Confidentiality, Integrity and Availability is a well established model
in information security, which focuses on three key aspects:
Symmetric trust. Since the sender and receiver have to share the same symmetric
key, there is an implication that, to an extent, the sender and receiver ‘trust’ one
another. This ‘trust’ arises since anything cryptographic that the sender can do (by
deploying the symmetric key), the receiver can also do (by deploying the same key).
Key establishment. The sender and the receiver need to agree on a symmetric key in
advance of use of a symmetric cryptosystem. Thus the sender and receiver need to
have access to a secure key establishment mechanism.
However, nothing ever comes for free. There are two major problems with the
briefcase protocol:
• Authentication. The very freedom we gain through being able to securely
communicate with an entity we had no prior trust relationship with, comes with
a significant vulnerability. This is a lack of assurance we have indeed securely
communicated with the entity we think we are communicating with. Alice has
no guarantees (other than the word of the courier) that it is Bob who applies the
second padlock. There is no authentication of any type in the briefcase
protocol. While it is true we did not specify authentication in our requirements,
the briefcase protocol illustrates the dangers of omitting authentication as a
requirement in such a scenario.
• Efficiency. The briefcase protocol involves three journeys (or passes) between
Alice and Bob. This is clearly inefficient since we normally require a message
to be passed securely using just one communication. We must do better than
this because in many applications communication bandwidth is expensive.
In this analogy, Alice faces two challenges. Firstly she has to acquire Bob’s padlock.
Secondly, and more significantly, Alice has to be sure it really is Bob’s padlock she is
using.
Symmetric cryptography is generally very, very fast. Public-key cryptography
involves little delays. It involves hard computational work for a computer to do, so
it's slow. And in fact, despite the advantages of key management for public-key
cryptography, and in general we don't want to use it unless we have to.
So in this example of buying something from an online store, we're forced to use
public-key cryptography somehow. But we also know that public-key cryptography is
rather slow. So can we get away with surgically using it just for what we need and not
more than that? SSL/TLS. Combining symmetric and public-key cryptography to get
the best of both worlds. The idea is really very straight forward.
So your web browser might generate a symmetric key. Encrypt that using the public
key of the online store. Pass that across the online store. It then recovers or decrypts
to obtain that symmetric key. And now that symmetric key is used to encrypt the bulk
data traffic. And in this way we've harnessed the best of both worlds.
WEEK 3
In information security and other computer science related fields, we consider three
different states for data information or data. Data at rest, data in use, and data in
motion. The two first are for Computer security and the third one is for Network
Security.
However, information is not the only thing put at risk, when connecting information
systems to a network, also devices, for example A denial of service attack, or DOS,
overloads the computer system.
Authentication refers to the process follow to verify that a certain attribute provided
by an entity is true. In information security we use authentication to verify the
identity of persons or systems involved in interactions. Once the user or system has
been authenticated, we use authorization to decide whether he has the rights to
perform the action he is trying to execute.
Generally speaking, access control works in the following way. A user wants to
perform an operation over a certain resource. The access to the resource is governed
by what we call an access control policy. This policy defines a set of rules that allows
the access control system to determine if the identity is allowed to execute the
operation of the resource. If the policy determines that the user has the right to
perform that operation of the resource, the system will proceed with the operation.
There are many access control models, like discretionary, mandatory, and role based
access controls.
• Discretionary access control, each resource has an owner which decides the
access rights to the resource. The owner can grant or revoke access, or even
transfer the ownership of the resource to other users.
• In mandatory access control, access rights are assigned centrally. Users can
access resources as stated in the policy. However, they don't own resources, so
they cannot transfer access rights or modify the ownership of the resource.
• Finally, in role based access control, users are assigned to different roles based
on the functions. Then, its role is assigned with specific permissions. In this
way, the management of access rights is a matter of just assigning appropriate
roles for each user in the system. This kind of access control makes it very easy
to add or modify user access rights when they change requirements within the
same organization.
Having appropriate access control model and access control policy is a key point to
enforce the security of a system or organization.
Vulnerabilities are weaknesses in a system that can negatively affect the security
properties of the system. Vulnerabilities appear because developing computer systems
is a very complex task.
Modern operating systems were designed with security in mind, and include many
features information systems and networks remain safe from threats. Examples of
such features information systems:
• Disk encryption
• Application sign-in: First, it identifies the developer form application. Second,
the authority can verify the security of the application before providing and
signing certificate. And third, it provides an easy method to prevent the
applications from unknown sources.
• Memory protection techniques: such as address space layout randomization
and data execution prevention Protects systems from executing arbitrary code
when a software vulnerability is been exploit. ASLR randomizes the location
of code in the system memory. These makes more difficult to locate which
parts of the memory hold the program the exploit once to take advantage of.
Security products like host intrusion detection systems and anti-virus software. Host
intrusion detection systems analyze the operations executed on the host. And
sometimes an network traffic going to that host to identify malicious activities. As
network intrusion detection systems, host intrusion detection systems can identify
malicious behaviors by matching previously know malicious patterns, or identifying
abnormal behavior.
WEEK 4
Unfortunately, security is not only about the technical means to achieve it, but also
about the processes and people involved in those processes. Security management is
concerned with how to use the security technologies in the real world to protect
organizational assets. This means putting together the technical aspects of security,
processes, and people so organizations can achieve their business goals.
Security management is not only deciding which security technology to use. Security
controls need to be configured, integrated into the organization, monitored, updated,
and replaced as necessary. Security management covers all aspects that help an
organization to preserve the three famous security goals. These are, as you probably
already know, confidentiality, integrity, and availability. In the context of security
management, confidentiality means that information assets should only be read by
those users that are entitled to do so. Integrity is about preventing users modifying
organizational assets when they do not have the necessary authorization. Finally,
availability means that organization assets can be accessed by authorized users when
needed. Security management also provides accountability and auditability, and
serves to put compliance to standards and regulations.
• What was the security management process in place at the company when the
breached occurred?
• What went wrong?
• What do you think would prevent such a breach from happening again?
The ISO 27006 establishes the requirements for bodies providing audit and
certification of information security management systems. These requirements must
be fulfilled by any organization willing to provide ISMS certification.
The ISO 27009 explains how to include additional requirements for a specific sectors.
The third category of standards included in the 27000 series are the Guidelines
standards. These include 27002, 27003, 27004, 27005, 27007, 27013 and 27014. The
27002 provides a catalog of security controls and guidance on their use. This is the
oldest member of the series and this a direct descendent of the BS7799. 27003
provides ISMS implementation guidance. 270004 provides guidance on how to
measure the effectiveness of an ISMS and its controls. 27005 deals with risk
management. And finally, 27007 is related towards a team. The fourth category for
standards are Sector-Specific standards, these includes 27010, 11, 15, 17, 18 and 19.
These standards are applicable to specific sectors, like telecommunications, financial
services, cloud services, and personally identifiable information processors. Finally,
the last category includes the control specific guideline standards. These provide a
more detailed set of guidelines for guiding security controls mentioned across the rest
of the documents of the series. These include, among others, 27031, which describes
guidelines to ensure business continuity, the 27032, which provides guidelines for
cybersecurity, and the 27033 which describes network security concepts. The 27000
series of standards are developed by the ISO/IEC joint technical committee 1,
subcommittee 27, hence the name of the series. As you may imagine, the information
included in these standards must be updated frequently to reflect the new
developments, and threats in business sectors. The members of subcommittee 27
meet twice a year in person to update and propose new documents to be added to the
27000 series. The 27000 series is a set of information security standards that
establishes a set of requirements, recommendations and guidelines to implement
information security. The ISO 27001 is the most important standard of the series.
Organizations can request to be certified against this standard. When an organization
obtains a 27001 certification, it means that a third party has verified that the
organization implements an information security management system that will fill all
the requirements of the 27001 standard.
Plan-Do-Check-Act model(P-D-C-A)
• Plan what you need to do to achieve the obkective
• Do what you planned
• Check that what you have done achieves what you had planned for it to
achieve and identify any gaps or shortfalls.
• Act on the findings of the check phase to address the gaps and/or improve the
efficiency and effectiveness of what you have in place
Requirements applicable to an ISMS or other management system:
• Document controles
• Internal audit
• Management review
A security policy describes the specific rules that must be followed to keep the
organization secure. Policies are different from standards. A standard is a collection
of requirements that must be met by everyone conforming to that standard. Standards
like that 27 something series go beyond the organization boundaries, while security
policies are applied within the organization scope.
In most cases, an organization will have several security policies depending on the
level of the organization and the area they want to cover. At the higher level of the
organization, the security policy should set out the organization's approach to
managing its information security objectives. At a lower level, information security
policies should be supported by the topic specific policies. These detail the
implementation of information security controls and are typically structured to
address the needs of a certain target of groups within the same organization.
Information security policies should address requirements created by business
strategy, regulation, legislation and contracts. And of course, the information security
threat landscape. Security policies are only useful if the affected employees and
departments within the organization are aware of their existence and contents. One
common method of informing employees about security policies are the information
security awareness program. When designing a security policy, there are several
factors to take into consideration like the size, the culture and the business goals of
the organization
A security control, is any kind of measure we put in place, to reduce the risk of a
breach and achieve the security goals of an organization. The ISO IEC 27002
provides a list of common user security controls and best practices on their
implementation. Security controls are organized by categories, depending on the topic
or security goal they allow you to achieve. Some of these categories may seem
straightforward because of the close relation they have to technical aspects of
information security. These include access control, cryptography, communication
security, asset and media management and incident management among others.
Secure development lifecycle is also another kind of security control. This control
introduces a series of tasks through the software development process to avoid the
appearance of software vulnerabilities. The tasks includes establishing a secure
development environment, performing source code review and security testing and
verifying a third party and outsource software components. Other not so obvious
categories of security controls include human resources, physical security, system
acquisition, and supplier relations, among others. Security controls can be technical,
like cryptography or access control. Or organizational, like human resources and
supplier relations. Not all security controls need to be implemented. That will depend
on the needs of the organization, the regulations and the business processes it
executes. However, it is very important that you know the system of all of them, and
you can justify when a specific security control is not required.
The iterative process of risk management consists of the following sub processes.
Context establishment, risk assessment, risk treatment, risk acceptance, risk
communication and consultation. And finally, risk monitoring and review. First, we
need to establish the context of the risk assessment process. This includes
establishing which assets will be taken into account. The risk that will be looked and
how they will be evaluated. Risk assessment is the main process of risk management.
In this phase, risks are identified, measured and prioritized. Risks can be quantified or
qualitatively described. During risk assessment, we determine the value of
information assets. Identify the potential threats and vulnerabilities that exist. Identify
the existing controls and their effect determine the potential consequences of the risk.
And finally, we prioritize them according to a quantified measure or a qualitatively
rescription of the risk. The risk treatment phase involves implementing the necessary
measures to treat the risk. There are many different ways of treating a risk. A risk can
be reduced by implementing correction or prevention controls. It can be eliminated
by eliminating the source of the risk. It can be shared with an insurance company, for
example, or it can just be accepted. The risk acceptance phase serves to gather all the
accepted risk, so they are explicitly acknowledged by the managers of the
organization. This step is important when some risks are accepted, because of
financial resource. Risk communication is used to communicate the existing risk and
the treatment controls to managers and other staff. This can help avoid security
breaches while the treatment controls are being implemented.
Finally, identified risks are monitored and reviewed. This is required to ensure that
the risk management process keeps updated and the treatment controls are
implemented. Risk management is an iterative process which goal is to identify,
analyze, evaluate and treat risk. Risk management is not only about reducing risk.
Risk management is about identifying them and finding the best possible treatment
within the organization for those that go beyond acceptable level.
Risk assessment involves risk identification, risk analysis, and risk evaluation.
• Risk identification: Risk identification determines how, where and why a
potential loss may happened. Risk identification requires first to identify all the
assets within the scope of the risk assessment. Then we must identify the
threats that may harm the previously identified assets. A threat can come from
a natural or a human source. Can be accidental or deliberate, and can come
from the inside or the outside of the organization. Risk identification also
identifies the possible vulnerabilities that may be exploited by the threats and
assists in controls to avoid those vulnerabilities from being exploited. Finally
we must identify the consequences that could be caused by the realization of
the identified threats.
• Risk analysis: we provided a qualitative and quantitative measure of the risks
that affect our assets. These generally involve measuring the likelihood of an
event to happen, and the impact of that event. When measuring likelihood, we
generally consider the skills and motivation of the attacker, and the difficulty to
exploit the system vulnerability. When measuring impact, we'll look at the cost
involved on the effect, the threat has confidentiality, integrity and availability
of the asset. Cost must be measured in terms of its effect on the business
processes of the organization.
Once we have estimated the likelihood and impact of a threat scenario, we can
estimate the level of risk this scenario generates. Risk estimation combines the
likelihood of an event to happen with its impact. If both are determined using
quantitative measures, risk is generally the result of the multiplication. If both are
determined using qualitative measures, risk is generally measured using a risk
correcting table.
The results of the risk assessment are used to decide whether the risk should be
treated and prioritize the implementation of treatment controls.
Today, you can not worry only about yourself, you need to also worry about the
people, the organizations, you interact with and the laws that regulate those
interactions. And depending on the country you are in, you will probably have laws
about privacy and data protection, national security, anti-terrorism and financial
governance. As the business methods and technologies are constantly evolving, these
laws have to be frequently updated. This has a lot of impact in how business works
and even in some cases, you may find yourself breaking a regulation you were not
aware ever existed. Security management processes should identify which business
processes are subject to certain legislations and laws and provide the necessary
controls to ensure that the restrictions and requirements imposed by those laws are
met. This process can be really complex and challenging for big corporations, as they
might be subject to regulations from different countries which are contradictory.
Unfortunately, regardless of our efforts, security incidents will happen eventually.
These incidents can affect the confidentiality, integrity, and availability of assets. If
we prepare for these incidents before they happen, we will be best prepared to act
when the moment arrives. There are five phases in the management of a security
incident. Reporting, investigation, assessment, corrections, and review.
• Reporting consists of capturing all the possible information about the security
event. This includes the first time the event was noticed. The identity of the
first responder. The location or asset that was affected by the event. A
description of the event. The impact of the event. And of course, all the actions
taken after it.
• Investigation: responders analyze the assets affected by the event. The analysis
of these assets may require the use of forensic procedures. Incidence that
involve law enforcement will require a proper handling of the evidence, of
course.
• Assessment: reviewing the information gathered about the event and deciding
if the event should be classified as a security incident. Security incidents are
security events who have relevant impact on the security properties of the
organization assets. When a security event is raised to security incident, the set
of planned responses are triggered. All the decisions made during the incident
assessment should be logged in the incident report.
• Correction: implementation of any corrective actions necessary to respond to
the incident. Enabling backup servers is an example of a correction action.
Corrective actions should also be logged in the incident report.
• Review: the incident management, the correction controls applied to mitigate
the security incidents are reviewed. Additionally, this phase reviews all the
other processes that were affected by the assets involved in the event. For
instance, a risk management process may need to be updated after a security
incident to reflect the new controls imposed and the new likelihood of such
events to happen again.
In some cases, security events may put at risk the immediate continuity of the
business processes. In these cases, the corrections phase is prioritized over the other
phases. Some organizations may develop a specific plan for these extreme scenarios.
These are called business continuity plans. Whether we like it or not, security
incidents will happen within our organization. Preparing for such incidents is a key
factor in successfully responding and recovering from them. Some security incidents
can put at risk the continuity of a business. To prepare for such events, the
information security team should developed a business continuity plan that outlines
the main measures to implement to continue operations after a major incident or
disaster happens.
WEEK 5
Vertical is used to denote a set of similar types of business, for example it might refer
to retail, or banking, or government
Verticals can also be used to denote sets of producers, such as anti-virus vendors,
network security vendors and so on.
The Enforcer community helps to regulate and support the overall network of
producers and consumers.
"Interactions" take place at a variety of points. Between enforcers and consumers and
producers, consumers and producers, producers and producers and consumers and
consumers..…
Consumers can cooperate, and not only with themselves, but with the whole
community. Banks for example.
Critical infrastructure here has been categorised by value and criticality. The
criticality scale uses the impact on essential services, economic impact, and impact
on life as a basis to determine what is critical. In the UK we have:
• Communications
• Emergency Services
• Energy/Power
• Financial services
• Food
• Government
• Health
• Transport
• Water
• Defence/Military
• Civil nuclear
• Space
• Chemicals
Verticals. Market analysts such as Gartner, Forrester, IDC etc. create verticals as a
basis for classifying or categorising markets. As mentioned in the video there are a
wide number of these, such as:
From my perspective, the one thing that we've missed critically from this is the
adversary.
We need adversaries in this model because a lot of what we do is actually driven by
adversaries.
And these adversaries can be individuals, gangs, businesses. They can be national and
international.
They can even be a nation state, as we've seen from some news reports. And the
drivers for adversaries are much the same as they are for any business.