ITI581 CYBER SECURITY FUNDAMENTALS
Subject Introduction
Subject Introduction
Your Mentor…
Andrew Stephen
• 25+ years in the IT industry
• 20+ years in information security management, consulting, strategy,
architecture, governance, risk, compliance and operations
• Information security experience across multiple organisations and industries
–
–
–
–
–
–
Banking & financial services
Airlines
Utilities & critical infrastructure
Education
Health
Government
• Tertiary qualified with various industry certifications
Class Times
• Tutorials will run/be available:
– Tuesday evenings 8:00pm Sydney time.
– https://itmasters.zoom.us/j/97354430418?pwd=LzR6eTdPallacHRENFZv
RUU3Z1RDZz09
• All recordings will be uploaded to Interact within 24 hours.
– Interact
– PDF copy of slides
– Numerous other resources available throughout the course as
applicable.
• If you are unable to attend tutorials that is fine!
– Watch the recording and stay in touch via Discussion forums or e-mail
Contact
andrew.stephen@itmasters.edu.au
• Course Content ONLY
• E-Mail me at any time.
• I monitor discussion forums often.
EVERYTHING ELSE
admin@itmasters.edu.au
Extensions
•
•
Must be made in advance of due date.
Length must be negotiated.
To apply for an extension of <= 7 days: https://assist.csu.edu.au
For a longer extension: e-mail admin@itmasters.edu.au
•
You DO NOT need to get my permission or e-mail me regarding
extensions.
Subject Outline
Learning Objectives (LOs)
• be able to construct and implement a security baseline for an organisation;
• be able to justify an appropriate set of security policies for an organisation,
and to ensure policy compliance;
• be able to analyse the security threats to a network and propose effective
countermeasures;
• be able to apply security protection mechanisms, such as authentication
and access control;
• be able to investigate the cause of a security incident, and to respond as
appropriate.
Text
CompTIA Security+ Study Guide: Exam SY0-601
– Paperback or eBook is fine.
– Older versions are not suitable.
– Available via CSU library.
Assessment – Case Study
Case Study
– Single scenario, broken into 3 parts.
– Worth 55% of your final mark.
– Part 1 – 10%, Due 23:59 (11:59PM) AEST on 6th June 2022
– Part 2 – 15%, Due 23:59 (11:59PM) AEST on 4th July 2022
– Part 3 – 30%. Due 23:59 (11:59PM) AEST on 25th July 2022
APA 7 referencing
Assessment - Exam
• E-exam - will be available to register for later in the session
• Worth 45% of final grade (hurdle requirement!)
– WXYZ multiple choice (not as easy as it sounds).
– Standard multiple choice.
– Extended answer.
• More on this later in the session.
• Date TBA but during exam period.
Subject Feedback
• Online feedback forms
– Mid-session to: adjust things if required
– End of session: to help improve this, and other, subjects
• Notification will be posted on Main Discussion Forum when available
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 1
Contemporary Security Fundamentals
Topic Reading
•
Chapter 1: Today’s Security Professional.
•
Interact Content.
Security Primitives
Information
Security
Primary
Goals
• Mechanisms by which
networked information assets
are protected.
• Protect confidentiality.
• Maintain integrity.
• Assure availability.
Security Provides?
Security should ensure that:
• Users can only perform tasks they are authorised for.
• Users can only obtain information they are authorised to have.
• The elimination of damage to data, applications, or operating environment.
• Data exchanges are conducted in a secure and safe manner.
Security Models
CIA/DAD Triads
Goal
•
•
Threat/Risk
Confidentiality
Disclosure
Integrity
Alteration
Availability
Denial
Fundamental model.
We will use this one exclusively but there are others that exist.
Security Models
McCumber Cube
•
First model to formally evaluate
information security, merging
theory with practical
implementations in policy,
education, and technology.
Security Models
Community Cyber Security Maturity Model
•
A “yardstick” to allow communities to measure
their current level of cyber security maturity.
•
A “roadmap” so communities can know what
they need to do in order to advance the state of
their cyber preparedness.
•
A common point of reference so different
communities can discuss common aspects of
security and issues.
https://nationalcpc.org/ccsmm.html
Impact of Breaches
Incident impacts can be many & varied
Depends on nature of incident and organization type
Risks can be categorized as relating to:
•
•
•
•
•
Financial
Reputational
Strategic
Operational
Compliance
Risks are rarely singular, rather multiple risks co-exist
Security Controls
Organizations must analyze the risk
environment to determine:
•
Level of protection required to
preserve C, I & A.
• Controls to facilitate the required
level of protection.
• Cost/benefit of implementation of
controls.
Security Control Categories
Controls are categorized based on how they achieve their objectives:
Category of Control
Mechanism of Action
Technical
Digital enforcement of C, I & A. Examples include
firewall rules, ACLs, intrusion prevention & crypto.
Operational
Processes enforced to manage technology securely.
Examples include monitoring and vulnerability
assessment and management.
Managerial
Procedures that focus on the process of risk
management. Examples include annual risk
assessments, security planning, secure change
management, DR/BCP.
Security Control Categories
Many mechanisms of action may be combined to provide a
complete security paradigm for an organizational environment.
For example, an organization with the goal to prevent
unauthorized access to a R&D facility might achieve this by;
• Implementing biometric access control (technical).
• Regularly review authorization list (operational).
• Bi-annual risk assessments (managerial).
Security Control Types
Controls can be further categorized based on the desired effect.
Control Type
Desired Effect
Preventive
Stops an issue before it occurs, e.g. firewall.
Detective
Identify issues that have occurred, e.g. IDS.
Corrective
Remediate issues that have occurred, e.g. backups.
Deterrent
Prevents attempts to violate security policies, e.g.
guard dogs, CCTV.
Physical
Controls that impact the physical world, e.g. fences,
gates, fire suppression systems.
Compensating
Mitigate the risk when exceptions to security policy
occur, e.g. PCI DSS certification.
Data Protection
•
•
Much time is spent protecting data against breaches of C, I or A.
To help protect data it is useful to understand the 3 possible states of data:
Data State
Description
At rest
Stored data residing in any storage location. Can be at
risk of theft/damage from anyone who can gain
access.
In motion
Data in transition across some form of
communications link. Can be at risk of eavesdropping
or MiTM type attacks.
In processing
Data actively being used by a compute system. Is at
risk if compute system is compromised.
Keeping Data Safe
Tool
Description
Encryption
Encryption technology uses mathematical algorithms (and
keys) to protect information from disclosure, in transit and
while it resides on systems.
Data Loss Prevention
DLP systems enforce information handling policies and
procedures to prevent data loss and theft. They monitor
sensitive information stores and intercept and block possible
breaches.
Data Minimization
This seeks to reduce risk by reducing the sensitive
information that is regularly maintained i.e. when information
is no longer needed it is removed, destroyed or deidentified.
Big Picture
Cybersecurity professionals:
•
are responsible for ensuring the confidentiality, integrity, and availability of
information and systems maintained by their organizations.
•
seek to protect their organizations by evaluation of risks to the CIA triad.
•
design and implement an appropriate mix of security controls drawn from
the managerial, operational, and technical control categories. Controls
should vary and include preventive, detective, corrective, deterrent,
physical, and compensating controls.
Risk Management
Risk Management
•
Beyond basic security fundamentals, the concepts of risk management are
perhaps the most important and complex part of the information security
and risk management domain.
A risk comprises a threat and a vulnerability of an asset, defined as follows:
• Threat: Any natural or man-made circumstance that could have an adverse
impact on an organizational asset.
• Vulnerability: The absence or weakness of a safeguard in an asset that
makes a threat potentially more likely to occur, or likely to occur more
frequently.
• Asset: An asset is a resource, process, product, or system that has some
value to an organization and must, therefore, be protected.
Goals of Risk Analysis
•
Identify assets and their values.
•
Identify vulnerabilities and threats.
•
Provide an economic balance between the impact of the threat and the
cost of the countermeasure.
Risk Analysis Steps
•
Identify the assets to be protected, including their relative value, sensitivity,
or importance to the organization.
•
Define specific threats, including threat frequency and impact data.
•
Determine the probability and business impact of these potential threats
•
Select appropriate safeguards. This is a component of both risk
identification and Risk Control/Management.
Quick Word on ALE
• Single Loss Expectancy (SLE) is a measure of the loss incurred from a
single realized threat or event, expressed in dollars. It is calculated as Asset
Value ($) x Exposure Factor (EF).
• Exposure Factor (EF) is a measure of the negative effect or impact that a
realized threat or event would have on a specific asset, expressed as a
percentage.
• Annualized Rate of Occurrence (ARO) is the estimated annual frequency of
occurrence for a threat or event.
Quick Word on ALE
•
The Annualized Loss Expectancy (ALE) provides a standard, quantifiable
measure of the impact that a realized threat has on an organization’s
assets.
• ALE is determined by this formula:
Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) =
Annualized Loss Expectancy (ALE)
Qualitative Risk Analysis
•
Qualitative risk analysis is scenario-driven and doesn’t attempt to assign
numeric values to the components (assets and threats) of the risk analysis.
•
Develop real scenarios that describe a threat and potential losses to
organizational assets.
•
Unlike a quantitative risk analysis, it’s possible to conduct a purely
qualitative risk analysis.
Risk Matrix (Likelihood) - example
Rare
Unlikely
Possible
Likely
Almost Certain
<5% chance
5% - 10% chance
10% - 50% chance
50% - 90% chance
>90% chance
Less than once every
20 years
Every 10-20 years
Every 2-10 years
Every 1-2 years
More that once per
year
Risk Matrix (Consequence) – example
Insignificant
Financial
<$10,000
Reputation/Brand
Isolated media attention
- no change in public or
customer perception.
No regulatory
involvement.
Regulatory compliance
No fines but possibility
of litigation.
Minor
$10,000-$100,000
Moderate
Major
$100,000-$1M
$1M-$5M
>$5M
Short term media
attention – minor
change in public or
customer perception.
National media attention
or social media activity –
minor change in public
or customer perception.
National or international
media attention or social
media activity –
significant change in
public or customer
perception.
Prolonged national or
international media
attention or social media
activity – substantial
change in public or
customer perception.
Warning/request for
explanation from
regulator.
Moderate financial
penalties.
Major financial penalties.
Severe financial
penalties.
Minor fines/penalties.
Medium period of
litigation or regulatory
scrutiny.
Long period of litigation
or regulatory scrutiny.
Short period of litigation
or regulatory scrutiny.
Safety or injury
No treatment required.
Severe
First aid or treatment by
medical practitioner – no
follow up required.
Extended period of
litigation or regulatory
scrutiny.
Loss/suspension of
operating license.
Treatment by medical
practitioner requiring
ongoing treatment – no
permanent disability.
Admission to hospital
requiring ongoing
treatment – possible
permanent disability.
Immediate admission to
hospital requiring
ongoing treatment –
permanent disability/loss
of capacity.
Risk Matrix (Consequence) – example (cont’d)
Security
Insignificant
Minor
Moderate
Major
Severe
Impacts to systems not
rated important or critical
Single instance of
“Internal” information
compromised
Multiple instances of
“Internal" information
compromised
Single instance of
"Confidential"
information
compromised
Multiple instances of
"Confidential"
information
compromised
Single "Important"
system(s) unavailable
for up to 1hour
Single "Important"
system unavailable for
1-24 hours
Single "Critical"
system(s) unavailable
for up to 1hour
Single "Critical" system
unavailable for 1-24
hours
Multiple "Important"
systems unavailable for
1-24 hours
Multiple "Critical" system
unavailable for up to 1
hour
Single "Important"
system unavailable for
1-7 days
Single "Important"
system unavailable for
>7 days
Multiple "Important"
systems unavailable for
up to 1 hour
Multiple "Important"
system unavailable for
>1 day
Operations
No impact to operations
– workaround readily
available and easily
implemented.
Minor impact (<1hr) to
operation.
Moderate impact (1-4hr)
to operations.
Moderate impact (4-8hr)
to operations.
Moderate impact ( >8hr)
to operations.
Likely DR/BCP
declaration.
Risk Matrix (example)
Risk Matrix
Source: https://cdn6.bigcommerce.com/s-g93hfm7/product_images/uploaded_images/example-cybersecurity-risk-assessment-matrix.jpg?t=1452991364
Qual v Quan
•
Quantitative risk analysis attempts to assign an objective numeric value
(cost) to the components (assets and threats) of the risk analysis.
•
In quantitative risk analysis all elements of the process, including asset
value, impact, threat frequency, safeguard effectiveness, safeguard costs,
uncertainty, and probability are measured and assigned a numeric value.
•
Achieving a purely quantitative risk analysis is impossible.
Qual v Quan
•
Qualitative risk analysis is scenario-driven and doesn’t attempt to assign
numeric values to the components (assets and threats) of the risk analysis.
•
Develop real scenarios that describe a threat and potential losses to
organizational assets.
•
Unlike a quantitative risk analysis, it’s possible to conduct a purely
qualitative risk analysis.
Risk Control Remedies
Risk Control Remedies
• Avoid
– Simply avoid the activity that would make you incur the risk.
– This is the simplest strategy, but potentially very costly because the
benefit of the activity is eliminated.
• This strategy can work well for risks that result in;
– a catastrophic failure if incurred,
– or which cannot be reasonably addressed by any other strategy.
Risk Control Remedies
• Control
– Continue to perform the activity while putting mechanisms in place to
mitigate (reduce) the risk of the activity.
– There is usually some level of residual risk.
• Common cyber security controls include firewalls, intrusion detection
systems, antivirus, policies, and incident response management.
Risk Control Remedies
• Accept
– Continue to perform the activity with no mitigations in place.
– Requires analyzing the various components of the risk before
proceeding.
• This strategy can work well when the cost of addressing the risk with one of
the other strategies is greater than the cost of incurring the risk.
Risk Control Remedies
• Transfer
– Does not mitigate the overall risk, but it does move ownership of the risk
to another entity.
– Typically done in the form of an insurance policy or cooperative.
– While it is straightforward to purchases insurance for traditional risk
categories, doing so for cyber risk can be a challenge due to its novelty
and dynamics.
• This strategy can work well for risks that are low likelihood but high impact.
Risk Control Remedies
• Ignore
– This is NEVER effective.
– May seem like acceptance but is significantly different.
– Accepting risk is the acknowledgement of the risk yet moving forward
despite it. Ignoring risk simply assumes that there is no risk or that it is
insignificant.
• Ignoring risk and the risk management process can lead to:
– Catastrophic failure: inadvertently accepting more risk than you would
have had you truly understood it.
– Missed opportunity: avoidance of an activity because you believe the risk
is too high, even though it may not be.
Thanks for watching!
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 2
Cybersecurity Threats
Topic Reading
•
Chapter 2: Cybersecurity Threat Landscape.
•
Interact content.
Evolution of Threats
•
Cybersecurity threats have increased in sophistication, prevalence and
diversity over time.
•
Hackers are not longer unsocial, long haired, introverts hiding in darkened
rooms!
•
Threat actors vary widely in skills, capabilities, resources and motivation.
•
Cybersecurity professionals must be skilled, agile and organized to protect
contemporary digital systems and assets.
Threat Characteristics
•
Threat characteristics are important because the allow cybersecurity
professionals to be at one with an opponent (i.e. understand attackers).
Characteristic
Description
Internal v External
Threats can exist both outside and inside our environment. Inside
threats are generally more dangerous because of the elevated level of
trust given to internal actors.
Sophistication
Threat actors vary in skill from “script kiddie” to hardened blackhat,
state sponsored agent or simple guru of security.
Resources
Similar to the point above the availability of resources can greatly
enhance the danger a threat actor represents.
Intent/Motivation
This also widely varies and can be tied to the level of both
sophistication and resources available to a threat actor.
White, Grey and Black…Hats
• White-Hat Hackers: Authorized actors who seek to discover and advise on
vulnerabilities in an environment through vulnerability scanning and
penetration testing type activities.
• Black-Hat Hackers: Unauthorized actors who, with malicious intent, attempt
to defeat security mechanisms and unlawfully impact C, I or A.
• Grey-Hat Hackers: Semi-authorized actors who act without any
authorization but with the intent to warn and prevent black-hat attacks.
Who are the Threat Actors
• Script Kiddies
• Derogatory term for those who hack but lack finesse, skill or
sophistication.
• Often use entirely automated or web-based tools and make little attempt
to conceal their identities.
• Can represent a significant threat because of the vast array of tools
available to them and because their recklessness often has unintended,
but dire, consequences for the target environments.
• Often driven by desire to show off their skill.
• Typically external.
Who are the Threat Actors
• Hacktivists
• Threat actors using hacking tools/techniques for a specific activist goal.
• Famous example is the group Anonymous.
• Operation DarkNet: Anonymous broke into 40 child pornography
websites and published over 1500 names of users who frequented one
of the sites.
• Operation Russia: unidentified hackers cracked emails of pro-Kremlin
activists and officials.
• Skill levels can vary widely and may even be employed cybersecurity
professionals.
• Powerful because they have many numbers.
• Typically external.
Who are the Threat Actors
• Criminal Syndicates
• Where there is money to be made organized crime will appear!
• Typical motive is simply driven by money.
• Serious intent and motivation.
• Tend to want to remain undetected rather than show off their skills.
• Can be very highly skilled though.
• Many types of crimes:
– Cyber-dependant: Ransomware, DDoS, defacement etc.
– Child sexual exploitation.
– Payment fraud.
– Darkweb.
– Terrorism
– Cross-cutting crime: social engineering, money mules, crypto etc.
Who are the Threat Actors
• Advanced Persistent Threats
• Refers to state sponsored actors.
• Make use of advanced tools and techniques.
• Are a constant presence and build attacks over long periods of time.
• Motivation can be political, economic or espionage based.
• Many reports of attacks against western nations from Chinese or
Russian based hackers.
• Don’t always attempt to hide their identities.
Who are the Threat Actors
• Insiders
• Threat actor is an employee, contractor, vendor, partner or other
individual with some level of elevated and authorized access.
• Attacks typically aim at confidentiality but may also target availability.
• Skills, motivation and resources can all vary widely.
• Motivation is also diverse – activism, financial, revenge.
Who are the Threat Actors
• Competitors
• Corporate espionage aimed at theft of intellectual property (IP).
• Motivation may be to gain an advantage, economical or purely
disruptive.
• Can make use of disgruntled employees to act from the inside.
• Can have ties to the darkweb for selling of IP.
Threat Vectors
•
Now that we have an understanding of who the threat actors are, through
what vectors can they launch attacks?
•
Threat vectors are the means by which threat actors obtain unauthorized
access.
Vector
Description
E-Mail, Social Media
Most commonly exploited vector; massive audience.
Direct Access
Actors gain physical access.
Wireless Networks
Often an easy path into an environment.
Removable Media
Spread malware to launch attacks; Theft of IP.
Cloud
Cloud services scanned and used often.
Third-Party Risks
Supply chain attacks, other process based attacks.
Threat Intelligence
•
Activities, mechanisms, tools and resources used to learn about changes in
the threat environment.
• Important for cybersecurity professionals to build an intelligence database
to build defensive capabilities.
• Intelligence can also be used to predict future attacks.
• Many sources of intelligence:
• Open Source Intelligence (OSINT).
• Commercial threat databases.
• Vulnerability databases.
• Indicators of Compromise.
• File and code repositories.
Assessing Threat Intelligence
Important factors to consider:
1. Is it timely? Delayed intelligence results in failure of protective response.
2. Is it accurate? Inaccuracy also results in failure of protective responses.
3. Is it relevant? Can it help you to prevent, stop attacks?
https://threatconnect.com/blog/best-practices-indicator-rating-and-confidence/
Big Picture
•
Cybersecurity professionals must have a strong working understanding of
the threat landscape in order to assess the risks facing their organizations
and the controls required to mitigate those risks.
• Cybersecurity threats may be classified based on their internal or external
status, their level of sophistication and capability, their resources and
funding, and their intent and motivation.
• Threat actors take many forms, ranging from relatively unsophisticated
script kiddies who are simply seeking the thrill of a successful hack to
advanced nation-state actors who use cyberattacks as a military weapon to
achieve political advantage.
• Cyberattacks come through a variety of threat vectors.
Vulnerability Scanning & Penetration
Testing
NIST Assessment Guidelines
•
National Institute of Standards & Technology.
• Computer Security Division has a mountain of great standards and
guidelines for computer security.
– https://csrc.nist.gov/publications/sp800
• SP800-115 deals with Information Security Testing & Assessment.
– Provides guidelines on planning and conducting IS testing and
assessment, analyzing findings and the development of mitigation
strategies.
Identifying Vulnerabilities
Identifying vulnerabilities through a vulnerability appraisal.
• Determines the current security weaknesses that could expose assets to
threats.
Two categories of software and hardware tools.
• Vulnerability scanning.
• Penetration testing.
Vulnerability Scanning
•
Vulnerability Scans are used to discover existing vulnerabilities within a
network or system.
•
Does not seek to exploit them…merely report existence.
•
Uncovers potential security holes for the purpose of reporting and
subsequent remediation.
Penetration Testing
•
These seek out vulnerabilities and then actively attempt to exploit found
vulnerabilities.
•
Purpose is to demonstrate consequences of a real hacker exploiting the
vulnerabilities within a network or system.
Penetration Testing
Pen Tests have two basic categories:
• Internal – performed from within the confines of the target network/system
from various access points.
• External – analyses publicly available information, performs scanning,
enumeration and testing from outside the local confines of the network or
system…generally from the Internet.
Penetration Testing
Can further be categorised by the types of tools used.
• Fully automated – i.e. point and shoot tools run by anyone.
• Manual testing – performed by security consultants using many tools,
deep analysis and “manual” work.
Penetration Testing
•
Fully automated tools are often used to save time and money and to give a
general report of what might be happening with respect to security.
•
A number of tools available in both free and paid variants.
– Metasploit, Codenomicon, Core Impact, CANVAS.
Penetration Testing
•
Manual testing is usually a better choice for true assessment of a network
or system.
•
Is more expensive but you are paying for a high level of expertise.
•
Often outsourced.
•
Requires planning, design, scheduling and expertise.
•
Allows real human ingenuity to show its impact.
Pen Test Phases
•
Typically, 3 phases.
1. Pre-attack Phase (Reconnaissance, scanning, enumeration).
2. Attack Phase (Attempt to actually penetrate the network defences).
•
•
Specify targets, execute attacks, escalate privileges.
Possible packet crafting, tunnelling, XSS, buffer overflows, injections,
password cracking etc……
• This is where you exploit the vulnerabilities found.
Pen Test Phases
3. Post-Attack Phase.
• Cleanup.
– A lot has changed during the attack phase and this needs to be reverted
back to the way it was before the attack….remember this is a customer.
• What the customer really wants/needs – the report!
Pen Test Phases
•
After testing you’ll need to write your report detailing everything you did, to
what, when and how!
Report Structure
The following should be part of the Pen Test Report.
• An executive summary of the organization’s overall security posture.
• The names of all participants and the dates of all tests.
• A list of findings, usually presented in order of highest risk.
• An analysis of each finding, and recommended mitigation steps that are
possible.
• Log files and other evidence from your testing.
Vulnerability Scanner v Pen Testing
•
Vulnerability scanning is the process of looking for weaknesses in
computer systems, networks or applications.
– Involves mostly passive type operations that involve scanning or
enumeration techniques in order to identify potential targets.
•
Penetration Testing is using specific security tools to actually take
advantage of the identified weaknesses to see just how far an attacker
could go.
VS v PT
•
Vulnerability scanner can be done by anyone with a little care but…..
•
Pen Testing is not something that should be performed without substantial
knowledge and experience!
– Remember you are not an attacker….you are trying to validate your
security design and implementation so damage is not something you
want to do.
•
Best course of action is to engage the services of a suitable company that
specializes in pen testing.
VS v PT
•
Reputable security companies will be able to perform both scanning and
penetration testing as part of the one project.
•
You should also consider using tools to periodically scan samples of your
network internally & externally for vulnerabilities…especially after outages
or any changes to software, hardware, topology or configuration.
•
Leave pen testing to the experts!
Thanks for watching!
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 3
Malicious Code
Topic Reading
•
Chapter 3: Malicious Code.
•
Interact content.
Malware
•
Malware describes a broad range of software that is designed specifically
to cause harm to systems, devices, networks or users.
•
Can be used to gather information, gain unauthorized access, elevate
privileges and perform unwanted actions resulting in breaches to C, I or A.
•
Comes in many forms:
• Ransomware.
• RA Trojans/Trojans.
• Bots.
• Command-and-control.
Ransomware
•
Increasingly common malware that takes over target systems and
demands ransom.
•
Crypto ransomware encrypts target systems, rendering them useless, until
a ransom is paid.
•
Other ransomware might may threaten to release confidential information
unless a ransom is paid.
•
Can be very difficult to recover from but best protection is a plain and
simple backup.
•
Cryptanalysis can be difficult and often fruitless.
Trojans
•
Software that masquerades as legitimate software but actually provides
unauthorized access to attackers.
•
Require some form of human interaction to spread and operate.
•
Remote Access Trojans (RATs) provide unauthorized remote access.
•
Often combated using antimalware tools and security awareness training.
Worms
•
Are self-replicating.
•
Often associated with spreading via attacks on vulnerable services but can
also propagate through automated means such as e-mail or file shares.
•
Because they can self-install without human interaction they can be quick
to spread and difficult to stop.
Rootkits
•
Malware specifically written to permit unauthorized access to systems via a
backdoor.
•
Modern rootkits are very good at concealing their presence through:
• Use of filesystem drivers.
• Infection of master boot records (MBR) of disks.
•
Detection can be tough because systems infected with rootkits is
untrustworthy.
•
Best to use a trusted system to inspect suspect infected systems.
•
Rootkit detection looks for signatures and known behaviours.
Backdoors
•
Methods and tools that allow bypassing of regular authentication methods.
•
Like rootkits they are sometimes used by manufacturers to provide ongoing
access to systems and software.
•
Backdoors can sometimes be detected by finding unexpected open ports
or services but some may use legitimate services.
Bots
•
Groups of remote-controlled systems or devices that have a malware
infection.
•
Groups more commonly referred to as botnets.
•
Botnets are used to control targets in order to use them to launch various
types of attacks against further target systems.
•
Many botnet command and control systems operate in client-server mode.
Botnets
Source: https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fblog.eccouncil.org%2Fwp-content%2Fuploads%2F2018%2F12%2Fthe-structure-of-a-botnet.png&f=1&nofb=1
Keyloggers
•
Programs that, once loaded, may capture keyboard keystrokes, mouse
movement, touchscreen inputs or credit care swipes from infected devices.
•
Can work in various ways including capturing via the kernel, through APIs
or scripts, or directly from memory.
•
Best defense is through best practice software maintenance and
comprehensive AV/Malware solution.
Logic Bombs
•
Functions or codes maliciously placed inside other programs.
•
Are activated when defined conditions are met.
•
Uncommon but when activated can create significant issues.
Viruses
•
Most well known, widespread and understood of the malware types.
•
Are spread via varied infection mechanisms and have many different
attacks methods and targets.
Virus Type
Description
Memory resident
Remain in memory while the device is running.
Non-memory
resident
Execute, spread and then shutdown to prevent
detection.
Boot sector
Reside on disk boot sectors.
Macro
Use macros or code inside common applications to
spread.
E-mail
Spread via e-mail attachments or flaws within clients.
Spyware
•
Designed to obtain information about a target.
•
Many different variants and deployment methods.
•
May be innocuous but certain types are quite malicious.
•
Often associated with identity theft and fraud.
•
Most frequently combated using anti-malware tools.
•
User awareness is also an important tool.
Potentially Unwanted Programs (PUPs)
•
Many types of malware are malicious and cause damage.
•
PUPs are different in that they may not cause any harm directly.
•
Installed without users knowledge or permission.
•
Can include adware, browser toolbars, tracking programs and other types.
•
PUPs don’t always indicate that a system has been seriously
compromised.
Malicious Code
•
Includes scripts or bespoke code that isn’t malware but is may still be used
by attackers.
•
Attacks can happen locally or remotely.
•
May leverage built-in OS tools such as PowerShell, Visual Basic and
macros in Windows environments or Bash or Python in Linux
environments.
•
Can be difficult to guard against because they leverage legitimate and well
used tools.
Adversarial Artificial Intelligence (AAI)
•
A developing field where AI used to launch attacks.
•
Focus is typically on poisoning of data, inserting malicious analytics or
algorithms into systems or privacy based attacks.
Big Picture
•
Malware has many variants.
•
Some is malicious and some is simply used to spy on us, advertise
products or somehow socially manipulate us.
•
Depending on the type of malware prevention of infection and protection
against can be very challenging.
•
Best practice software configuration, patching and AV tools are a good
start.
•
Security awareness training assist greatly.
Thanks for watching!
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 4
Endpoint Security
Topic Reading
•
Chapter 11: Endpoint Security.
•
Interact content.
Endpoint Security
•
Protecting endpoints provides a significant proportion of daily tasks for the
cybersecurity professional.
•
Endpoints are the predominant device category in any digital environment.
•
Given they are controlled by end users the variety of risks is significant.
Endpoints
•
Devices such as servers, desktops, laptops and mobile devices are called
endpoints because they are an end point of either a wired or wireless
network.
•
Because endpoints are so diverse the protective security mechanisms
available are also incredibly diverse.
•
Cybersecurity professionals need to have significant expertise to
understand what solutions exist for specific security problems, how and
when they are deployed and any considerations that must be made.
Protecting the Boot Sequence
•
If any endpoint is to be secure and useful to an end user it must first be
able to start up in a secure fashion.
•
Preservation of boot integrity is exactly this.
•
If malicious components are present during the boot sequence the
endpoint is untrustworthy.
•
Modern Unified Extensible Firmware Interface (UEFI) firmware provides
protection via two means:
• Secure boot.
• Measured boot.
UEFI Secure Boot Process
Figure 11 from text, p.425
Endpoint Security Tools
Antivirus & Antimalware
•
Arguably the most common security tools used.
•
Although these tools are typically reactive they are an excellent first level of
defence.
•
Both should always be used on user endpoints.
•
Unless there are specific reasons not to antivirus software should always
be used on server endpoints.
Methods of Detection
•
There are four common detection methods used by AV and AM software.
Method
Description
Signature-based
Signature generation method to identify files or components of the malware
that have been previously observed. Fails with polymorphic viruses,
encryption or packing methods.
Heuristic-based
Examines actions malicious software takes and matches them to profiles of
unwanted activities. Heuristic-based detection systems can identify new
malware based on what it is doing.
Artificial Intelligence
Uses large amounts of data to find ways to identify malware that may
include heuristic, signature, and other detection capabilities.
Sandboxing
Protected environment where unknown, untrusted, potentially
dangerous, or known malicious code can be run to observe it.
Allow and Deny Lists
•
Simply put these are lists that either permit or deny the installation or
operation of a specific piece of software or application.
•
Although simple they can require substantial administrative effort to
maintain and are therefore not widely utilised.
Endpoint Detection & Response
•
Where AV and AM software is not enough endpoint detection and response
(EDR) tools may be deployed.
•
EDR provides a client-server platform where endpoints report to collectors
who then collect, correlate and analyse events as they occur.
•
Reporting of this level is a very strong advantage of EDR systems.
•
Can result in a lot of data collection if there are many endpoints and so
must be carefully deployed and managed.
Data Loss Prevention (DLP)
•
DLP protects data from both theft and accidently exposure.
•
Can be deployed as a client or as an application on endpoints.
•
Has numerous features including:
• Data classification to inform which data needs protection.
• Data labelling and tagging to support classification and management.
• Policy management and enforcement.
• Monitoring and reporting.
• Some DLP systems also encrypt.
Network Defenses
• Protection from network based attacks can be done using:
• Host Intrusion Detection Systems (HIDS).
– Typically monitor only and require intervention.
• Host Intrusion Protection Systems (HIPS).
– Can actively block.
• Host Based Firewall.
– Intercepts inbound communications.
• All are useful but can result in high resource utilisation.
Host Firewalls & IPS v Network Firewalls & IPS
•
Network based devices should always be used, host based will depend on
circumstances.
Figure 11.2 from text, p.433.
Hardening Endpoints & Systems
•
Hardening is the process of securing a system, operating system or other
application/software such that it is as secure as possible against all attacks
while still allowing it to serve its required function.
•
More simply put the goal is to minimise the vulnerability footprint.
•
One of the quickest and easiest ways to harden an endpoint is to reduce
the number of open ports and services that it provides.
•
While firewalls can be used to protect ports/services there is no need to
have them enabled if they provide no purpose.
Hardening Operating Systems
•
This involves changing settings to adhere the desired security posture.
•
A number of automated tools exist to make this form of hardening easier.
•
Examples of settings that might be considered:
• Password history; set to remember 10 passwords.
• Password age set to maximum of 30 days, but more than 0.
• Minimum password length of 15.
• Password complexity.
• Setting password encryption.
Windows Registry Hardening
•
The registry is a vital configuration component of Windows and corruption
of it can be catastrophic.
•
Attackers can compromise the registry to:
• Automatically run programs.
• Information enumeration.
• Perform a variety of malicious actions on operational characteristics.
•
Hardening the registry involves configuring appropriate permissions,
disallowing remote access and, limiting access to registry tools.
Patch Management
•
Ensuring that endpoint systems are up to date with service packs, security
patches and specific application patches is critical.
•
Only apply service packs and patches if they are relevant to services or
applications you provide or use.
• You may accidently introduce issues if you rollout unrequired patches.
•
Many operating systems and applications have automated update tools.
• Important to carefully consider if you need this automation.
Disk Security & Sanitization
•
Full Disk Encryption (FDE) is used to ensure that should a disk be stolen
the data is protected.
•
FDE requires the bootloader or other hardware device provides a key and
software or hardware to decrypt the drive for use.
•
Transparent encryption is commonly used and is undetectable to the user.
•
Disk volumes, or folders/files, can also be encrypted.
•
Can be problematic if the decryption key is lost.
Disk Security & Sanitization
•
Sanitization is ensuring that once a disk is past its used by date the entire
contents are securely erased and not retrievable.
•
This can be done using mathematical algorithms that wipe the data from
the disk.
• Many software wiping tools are available.
•
Can also be done by simply physically destroying the disk in question.
• Secure shredding services are often used but any physically destruction
method will work.
Internet of Things (IoT)
•
IoT is a broad term that describes many different non-compute devices that
store data and connect to the online digital world.
•
Many popular devices are IoT devices (Garmin, Apple, Android devices).
•
Examples include automation systems, sensors, security systems, smart
devices etc.
•
IoT brings functionality and flexibility but also some security concerns.
– Poor security settings and configurations.
– Short support lifespans.
– Vendor and cloud services data-handling practices.
Big Picture
•
Endpoints are the most common category of devices that require securing
in an enterprise environment.
•
Cybersecurity experts need significantly broad levels of expertise to secure
the variety of endpoints in contemporary networks.
•
Many tools and mechanisms are available to use.
•
Main goal is to reduce the vulnerability footprint while maintaining required
functionality.
Thanks for watching!
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 5
Network Security
Topic Reading
•
Chapter 12: Network Security.
•
Interact content.
Importance of Networks
Networks are the core of our digital environments.
Provide transfer of data that drives business
functions.
As such they are a key target for would be
attackers, criminals or competitors.
Key Concepts
The OSI Model
The OSI model is a vital
concept within data
networking, and security,
that you must come to
terms with.
It is a framework upon
which all data
communications are built.
Allows any vendor product,
software or hardware, to
communicate with any other
vendor product.
Understanding it greatly
assists with
troubleshooting.
OSI Model
Reference model
• Framework.
• Software & hardware.
• Reading on Interact.
text.
p.471 of
Segmentation
Division of a network into logical or physical groupings.
Can be based on:
Trust boundaries.
Functional requirements.
Other depending on importance to
business.
Typical driven using Virtual
Local Area Networks
(VLANs).
Layer 2 construct implemented by
switches.
Divides network into broadcast domains
from a traffic perspective.
Segmentation
•
Can also be derived from function:
• Demilitarized Zone (DMZ) – segments of a network that are accessible
to lower trust entities such as external Internet located devices/users.
• Intranets – segments of a network that are accessible to only higher trust
entities such as internal devices/users.
• Extranets – segments of a network providing access to external, but
more trusted, devices/users such as partners or customers.
• These are still facilitated by VLANs in many cases.
Network Access (Admission) Control (NAC)
•
Network segmentation divides networks in security zones but do not
provision/manage the access to those zones.
•
NAC technologies decide if an incoming system/device/user should be
permitted.
•
NAC interrogates incoming devices to ascertain if they meet expected
standards of security.
• Can be done via an installed agent or agentless via a browser.
• If the device meets the expected standard they are admitted.
• If standards are not meet the requesting client is either denied outright or
allocated to a remediation zone where the “standard” can be applied.
Network Access (Admission) Control (NAC)
•
Installed agents typically have a greater ability to interrogate a device.
•
Items validated may include:
• Patch levels, Security settings, AV versions, other settings.
• Some systems also track user behaviour.
•
NAC is therefore a useful tool for policy enforcement but is most useful at
the initial stage of connection.
•
Once a device is connected other tools must be used to keep things
secure.
Port Protection
•
Protecting your network from nefarious traffic is a tough task and can begin
with securing the flow of traffic into physical/logical ports.
• Port Security is a technology that gives you the ability to limit the number of
hosts that can connect to a port by limiting the incoming MAC addresses.
•
Technology varies depending on vendor platform by most port-security
capabilities allow:
• Dynamic locking by specifying a limit to the number of MAC addresses
allowed.
• Static locking by specifying the value of the MAC addresses allowed.
Port-Span, Port-Mirror
•
These terms are interchangeable.
•
The do not, in and of themselves, protect anything.
•
The purpose is to copy or mirror traffic from a specified port/s or network
segment to a security monitoring device such as an IDS or IPS.
•
They can also be used for troubleshooting in conjunction with protocol
analyzers.
Virtual Private Network (VPN)
•
•
•
Creates a virtual network link across a public network (i.e. Internet).
Connected hosts appear as if they are on the local network.
Security is achieved using encryption.
•
IPSec VPNs operate at Layer 3 and require a client.
• Tunnel mode: protects whole packet.
• Transport mode: only encrypts payload.
• Typically used for site-to-site VPNs or where traffic is not just
web/application based.
•
SSL (TLS) VPNs operate using a web browser portal.
• or Tunnel mode similar to IPSec.
Virtual Private Network (VPN)
•
Site-to-site (typically between sites and always active).
•
Remote access (for mobile users and are only active when required).
•
VPNs can be implemented as split-tunnel or full-tunnel.
• Full-tunnel – protect all traffic, more bandwidth required but more secure.
• Split-tunnel – only protects specific traffic sent to remote network, less
bandwidth required but less secure.
Appliances and Security Tools
•
There are many different ways in which appliances can be implemented.
• Hardware, virtual, cloud, hybrid.
• Chosen based on performance, manageability, expense, purpose.
•
Many types of appliances that serve a number of different functions.
• Jump servers.
• Load balancers.
• Proxy Servers.
• Network Address Translation (NAT) Gateways.
• Content/URL Filters.
• Data Protection or Data Loss Protection (DLP).
Firewalls
•
Used to setup traffic treatment profiles by filtering packets on some set
criteria.
•
Designed to prevent malicious packets from entering the network.
•
Firewall can be software-based or hardware-based.
Firewall Principles
•
The foundation of a firewall is the rule base.
– Establishes traffic treatment profile.
• Traffic evaluated using variations of the 5-tuple concept:
– A 5-tuple is a set of five different values that comprise a connection.
1. Source IP address.
2. Source port number.
3. Destination IP address.
4. Destination port number.
5. The protocol in use (TCP or UDP primarily).
Firewall Principles
Application Layer
• Able to decode and understand layer 7 protocols.
• Cannot decrypt so fail for SSL applications (SSH, HTTPS).
Unified Threat Management (UTM)
• All in one wonder box.
– Firewall, IDS/IDP, AV, web content filtering.
– True layer 7…probably more even!
Firewall Necessities
Application awareness
• Layers 3  7.
Application fingerprinting
• Must be able to correctly identify applications flowing through them by traffic
contents.
Granular Application control
• Must identify & characterize application features in order to control those
applications strictly.
QoS
• Based on the traffic priorities of the host network.
Core Functions
NAT
• Static, dynamic, PAT.
• Often debated as a valid security measure.
Audit & logging
• Preferably to a separate and secure management system.
• Can consume vast quantities of disk space.
What else can Firewalls do?
Malware blocking
• Detection, stopping, logging.
AV
• Used as an additional layer of defense in conjunction with other technologies.
IDS/IDP
• Again…as an addition to specific IDS/IDP devices.
URL filtering/caching
• Being at the perimeter FWs are perfectly placed.
• Many FWs are brilliant at this…which saves you!
What else can Firewalls do?
SPAM Filtering
• Similar to web filtering.
Wire speed transmission
• Cannot afford to introduce latency to transmission.
Secure Firewall Design
•
Irrespective of type of firewall used location is the most important factor of
design.
– Poorly placed firewalls = false sense of security
•
All comm’s in/out of protected networks should flow through a firewall.
•
Only authorized traffic is permitted to pass.
– Be explicit with permissions, everything = blocked!
•
Most likely best to fail closed.
•
Must be able to recognize, resist & log attacks on itself.
Rule Base Practices
•
Build rules from most to least specific
– Rules are generally processed top to bottom and stop once a match is
found.
•
Place most active rules at the top
– Saves CPU and memory.
•
Drop unrouteable packets without question
– RFC1918, internal addresses or broadcasts.
Intrusion Detection (IDS)
Monitors & IDs specific malicious traffic.
• Anything anomalous to the baseline.
– Traffic.
– Access or attempted access.
– Unauthorized changes.
– Unusual log messages or events.
– File manipulation.
– Elevation of rights.
– System changes.
– Many more…..
Threats that ID protects against
Attacks
• Unauthorized activity with malicious intent.
• Network protocol attacks.
– Flag Exploits.
– Fragmentation & reassembly.
• Application attacks.
• Content obfuscation (confusing communication).
Threats that ID cannot detect
•
Attacks that use encryption.
•
“Misuse” attacks.
– Copying documents.
– Posting documents to portals.
– Social engineering.
Types of IDS & Detection Models
Anomaly detection
• Looks at patterns of behavior and changes or abnormalities.
Signature
• Uses specific knowledge profiles to match against traffic patterns.
Active
• Triggers some configurable action.
Passive
• Logs only.
HIDS
Installed on a host device
• Server, workstation, router, printer, gateway etc.
• Installs as a service.
• Intercepts and scans traffic before any other process.
• Excels at examining application layer interactions.
Realtime
• Always looks for attacks and events.
• Takes up a lot of system resources.
Snapshot
• Takes snapshots to show the differences between a known good state and
a corrupt state.
NIDS
Protects networks
•
•
•
•
•
Most popular form of IDS.
Capture & analyze live traffic.
Designed to protect more than one host (cf HIDS).
Configuration required to ensure detection and analysis is turned on.
Requires some form of VLAN or port-based traffic mirroring or network tap
to work correctly.
IPS
• Along with detection & reporting IPS can stop attacks in real
time.
• Can sometimes overact!
– False positives can sometimes lead to traffic starvation.
Which should I use?
It depends……
• What do you want to protect?
– Host, subnet, entire network?
– Do you provide network services to customers or are you an enterprise?
– What is your network topology?
– Anomaly Detection or Signature?
There is rarely one solution to a problem but there is often a best solution.
UTM
Unified Threat Management
• All in one security appliance.
– Firewall.
– Gateway AV.
– IDS/IDP.
– SMTP filtering.
– Web filtering.
– VPN.
• Great for blended attacks .
• Reduces complexity of deployment of security services.
Big Picture
•
Understand the key security concepts in enterprise security, the supporting
tools and secure design principles.
•
Many, varied appliances, tools and implementations to consider.
•
Always try to use the most secure version, implementation or design for
anything you do.
•
Even with great defences you must still have knowledge of possible attack
vectors.
Thanks for watching!
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 6
Identity and Access Management (IAM)
Topic Reading
•
Chapter 8: Identity and Access Management.
•
Interact content.
Important of Identity & Access Management (IAM)
•
Are a vital security layer in modern digital systems.
•
They allow associated accounts to access systems and services as
dictated by the controlling enterprise.
•
Facilitate control of rights associated with accounts.
•
Identity and Access Management is critical in ensuring the safe operation
of an enterprise network.
Some Quick Terminology
• Subject: Typically people, applications, devices or organizations.
• Most commonly refers to individual users.
• Attributes: any information related to a subject.
• Can include name, age, location, job role, hair or eye colour, height etc.
• Identity: Sets of claims made about a subject, linked to attributes.
Identity Use
•
In order to use (claim) an identity a subject will authenticate via
presentation of one or more appropriate symbols asserting their identity.
• Examples may include:
•
•
•
•
•
Usernames (most common).
Certificates.
Tokens.
SSH Keys.
Smartcards.
Authentication, Authorization
• Authentication: When an entities identity is confirmed/verified through a
specific system.
• May also be referred to as “access control” although it is typically
considered a component of access control.
• Authorization: When an entity is granted permissions to a resource.
• Authentication must occur before this is possible.
Authentication & Authorization Technologies
•
Many of these exist but the following are more salient for our purposes.
• Extensible Authentication Protocol (EAP)
• Authentication framework most commonly used in wireless networks.
• Has many implementations (both vendor-specific and open).
– EAP-TLS, LEAP, EAP-TTLS are all open methods.
• Challenge Handshake Authentication Protocol (CHAP)
• Uses an encrypted challenge and 3-way handshake to send credentials.
• 802.1x
• IEEE standard for NAC and authenticates devices wanting to connect to
a network.
Authentication & Authorization Technologies
• Remote Authentication Dial-in User Service (RADIUS)
• Very common AAA systems for network devices, wireless networks and
various other services.
• Client-server based model.
• Terminal Access Controller Access Control System Plus (TACACS+)
• Cisco designed extension to TACACS.
• Full packet encryption, granular command controls.
• Kerberos
• Designed for untrusted networks.
• Uses authentication to shield its authentication traffic!
Single Sign On Authentication
•
Used where access is required to several systems with separate logins.
•
Necessarily complemented by Single Sign Off.
•
Designed to relieve password “fatigue” or “confusion”.
•
When implemented appropriately:
• Reduce IT costs significantly.
• Reduce incidents of phishing.
SSO & Identity Management
• Identity management.
– Using a single authenticated ID to be shared across multiple networks.
• Federated identity management (FIM).
– Used when networks are owned by different organizations.
– Single Sign On.
• Windows Live ID.
– When the user wants to log into a Web site that supports Windows Live
ID the user will first be redirected to the nearest authentication server.
– Once authenticated, the user is given an encrypted time-limited “global”
cookie.
Authentication Models
Single and multi-factor authentication (MFA).
• One-factor authentication.
– Use of single credential.
• Two-factor authentication.
– 2 different credentials.
• Three-factor authentication.
– 3 different credentials.
– Very secure.
Authentication Factors
Something you know.
• Password/Passphrase/PIN.
• Knowledge factor.
Somewhere you are.
• GPS/IP Subnet/VLAN.
• At work/at home/in the car.
Something you have.
• Token/swipe card.
• Possession factor.
Something you do.
• Signature, gesture, typing
cadence.
• Other habitual behaviour.
Something you are.
• Biometrics (thumb print, retina
scan).
• Inherence factor.
Authentication Factors
•
Multifactor stronger than single factor but also more complex.
•
More factors = stronger ≠ easier or cheaper to implement.
•
MFA is also mostly static in nature.
•
A more dynamic method is context-aware authentication.
Context Aware Authentication
•
Adaptive method of authentication.
•
Based on usage of resources and confidence the system has in an
authenticating entity.
•
Automatically increase level of authentication required or
increase/decrease access to resources based on continuous analysis of
the entity in question.
Access Control Schemes (Models)
Access Control Terminology
•
Computer access control can be accomplished in one of three ways:
– Hardware.
– Software.
– Policy.
•
Access control can take different forms depending on what is being
protected.
•
Other terminology is used to describe how computer systems impose
access control:
– Object.
– Subject.
– Operation.
Access Control Definition
• A simple definition is:
The process by which resources or services are granted or denied on a
computer system or network.
•
Four main schemes/models to discuss.
Access Control Schemes/Models
•
I use the terms Scheme and Model interchangeable.
•
A Scheme/Model definition:
A predefined framework for hardware and software developers who need to
implement access control in their devices or applications.
•
Once an access control scheme/model is applied.
– Custodians configure security based on parameters set by the owner.
– Enables end users to do their jobs.
Mandatory Access Control (MAC)
• End user cannot implement, modify, or transfer any controls.
• The owner and custodian are responsible for managing access controls.
• Most restrictive model as all controls are fixed.
• In the original MAC model, all objects and subjects were assigned a
numeric access level.
• The access level of the subject had to be higher than that of the object in
order for access to be granted.
Discretionary Access Control (DAC)
• The least restrictive.
• A user has total control over any objects that they own.
• Along with the programs that are associated with those objects.
• In the DAC model, a subject can also change the permissions for other
subjects over objects.
Discretionary Access Control (DAC) Weaknesses
1. Reliance on the end-user to set the proper security parameters.
2. A subject’s permissions will be “inherited” by any programs that the
subject executes.
Role Based Access Control (RBAC)
• Sometimes called Non-Discretionary Access Control.
• Considered a more “real world” approach than the other models.
• Assigns permissions to particular roles in the organization, and then
assigns users to that role.
• Objects are set to be a certain type, to which subjects with that particular
role have access.
Benefits of Role-Based Access Control
•
Improving operational efficiency.
•
Enhancing compliance.
•
Giving administrators increased visibility.
•
Reducing costs.
•
Decreasing risk of breaches and data leakage.
Rule Based Access Control (RBAC)
• Also called the Rule-Based Role-Based Access Control (RB-RBAC) model.
• Dynamically assign roles to subjects based on a set of rules defined by
custodian.
• Each resource object contains a set of access properties based on the
rules.
• Rule Based Access Control is often used for managing user access to one
or more systems (SSO).
Access Control Models Summary
Name
Restrictions
Description
Mandatory Access
Control (MAC)
End user cannot set
security
Most restrictive
Discretionary Access
Control (DAC)
Owner has total
control over objects
Least restrictive
Role Based Access
Control (RBAC)
Permissions assigned
to roles, users
assigned to roles
Real world approach
Rule Based Access
Control (RBAC)
Roles assigned
dynamically based on
security parameters
Assigns access
across multiple
systems
Big Picture
•
Identity is key with respect to organizational security.
•
Authentication is how a claimant proves their identity.
•
Authorization provides authenticated identities with appropriate restrictions.
•
There are many authentication methods that can be used.
•
Access control schemes determine which subjects can perform which
operations on which objects.
Thanks for watching!
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 7
Cryptography & PKI
Topic Reading
•
Chapter 7: Cryptography and Public Key Infrastructure
•
Interact content.
Cryptography
•
“the science or study of the techniques of secret writing, especially code
and cipher systems, methods, and the like”.
•
At its simplest it deals with keeping secrets secret – confidentiality.
•
More complex cryptography techniques also provide integrity of data.
Cryptography (crypto)
•
Crypto is an essential in contemporary communications but often not used
outside of the military, education or other big business.
•
Crypto generally thought of as being good.
– Securing nuclear launch codes.
– Protecting financial, medical or other personal details.
•
Crypto can be easily used by criminals for hiding their activities!
Definitions
Crypto Goals 1
Confidentiality
• Protect information from casual prying eyes or deliberate attempts to steal.
• Information doesn’t always have to be of significant value to anyone other
than an individual.
• Common layman definition of security is confidentiality.
• Crypto directly addresses this issue by scrambling plain text into something
that only the intended recipient can unscramble.
Crypto Goals 2
Integrity
• Some components of crypto perform verification and validation of data.
• Fundamentally digitally signs data with any changes to the signature
indicating a change to the underlying data; integrity compromised.
• Attacks on integrity of data can be more dangerous as they can be difficult
to confirm and generally are designed to result in unexpected, but
seemingly legitimate, results.
Crypto Goals 3
Availability
• A major component of the CIA triangle but unfortunately not something
crypto can help with.
• This point is important because it confirms that crypto is not a complete
security solution but rather part of a good defense in depth strategy.
Authentication
• Confirmation that the person you think sent the information really
did…clearly important for commercial transactions.
Crypto Goals 4
Non-repudiation
• Ability to prove who signed information & that that signature has not been
spoofed.
• Without this digital signatures & contracts would be meaningless.
Crypto Primitives
•
Crypto can be better understood through four primitives:
– Generation of random numbers.
– Symmetric encryption.
– Asymmetric encryption.
– Hashing.
•
Primitives can be used singularly for some purposes but are usually used
together.
Random Numbers
•
Actual random strings of bits.
• Truly random numbers are not possible using algorithms alone.
• Value is in generate pseudo-random numbers to provide keys for crypto
algorithms.
• For this purpose numbers need only be unpredictable not totally random.
Symmetric Encryption
•
Same key for encryption/decryption.
•
Also known as classical, conventional or single-key encryption.
•
Oldest type of encryption.
•
Only type until the 1970’s.
•
Still the most widely used.
Symmetric Encryption
Symmetric Encryption
•
Uses the notion of “computationally secure”…
• That is…
– The time it would take to compute all possible key combinations is so
large that it cannot be achieved within the time frame that the encrypted
information is useful to.
• Not worth the effort!
Symmetric Encryption
•
Ability to use ciphers is hamstrung by the fact that communicating parties
must both know the shared key.
• How do we keep this secure?
• Must be shared by another means prior to encryption.
– Secure post, secure phone.
– Not with e-mail or yellow sticky notes!
• Can also use a trusted third party.
Asymmetric Encryption
Asymmetric Encryption
•
The concept of public key cryptography evolved from an attempt to attack
two of the most difficult problems associated with symmetric encryption:
•
Whitfield Diffie and Martin Hellman from Stanford University achieved a
breakthrough in 1976 by coming up with a method that addressed both
problems and was radically different from all previous approaches to
cryptography.
Asymmetric Encryption
•
A public-key system has 6 ingredients:
Asymmetric Encryption
Hash Functions
•
A hash function (H) takes variable-length blocks of data (M) as input and
outputs a fixed-size hash value.
• h = H(M)
• Primary objective is to ensure data integrity.
•
Cryptographic hash function is:
• An algorithm for which it is CI to find:
– A data object that maps to a pre-specified hash result (1-way
property).
– Two data objects that map to the same hash result (collision-free
property).
Hash Function; h=H(M)
L Bits
Message or data block M (variable length)
H
Hash value h
(fixed length)
P, L = padding plus length field.
P, L
Applications
Application of Encryption
•
There are many useful applications of cryptographic theories.
•
Some of commonly used and others should be commonly used!
•
Following slides look at the most common.
E-Mail Privacy
•
Not so commonly used by the average e-mail user.
•
Both POP and IMAP have crypto features built in.
•
PGP also a good option for e-mail encryption.
– Digital sigs, confidentiality, message compression, format conversion.
VPN
•
Probably the most popular use of crypto technology.
•
Connecting offices, users and partners securely using public infrastructure.
•
IPSec or SSL based are best.
•
PPTP really legacy but still widely used.
•
Can be point-to-point for static offices.
•
Remote access for teleworkers & road warriors.
SSL/TLS
•
Encrypts between clients and servers.
•
Most common tool for secure websites.
•
Uses asymmetric encryption.
•
Supported by all browsers and many e-mail clients.
•
Used in VPNs to provide web based portals.
Public Key Infrastructure (PKI)
PKI
•
A group of technologies for secure communications using asymmetric
public key encryption.
•
Provides:
– Confidentiality, integrity, authentication and non-repudiation.
PKI – Explained in 5….
Common Challenges PKI solves….
•
MiTM attacks.
•
Management of certificates.
•
Distribution and use of certificate services.
•
Maintenance of security in a digital world.
Common uses of PKI
•
SSL/TLS certificates to secure web browsing experiences and
communications.
•
Digital signatures on software.
•
Restricted access to enterprise intranets and VPNs.
•
Password-free Wi-Fi access based on device ownership.
•
Email and data encryption.
Big Picture
•
Cryptography is a vital weapon in your cybersecurity armory.
•
Touches almost every other area of security.
•
Supports C, I, A and non-repudiation.
•
Secrecy of the key is the single most important thing.
Thanks for watching!
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 8
Resilience & Physical Security
Topic Reading
•
Chapter 9: Resilience and Physical Security.
•
Interact content.
Cybersecurity Resilience
Building Resiliency
•
Primary focus in this topic is Availability.
•
Regardless of how great your C and I are if you have no A then you have
nothing.
•
Typically neglected element of availability is resiliency.
•
Resiliency should always be considered during design.
•
Most common implementation is through redundancy.
Resilient Design
•
Infrastructure components must be analysed to determine where singlepoints of failure exist.
•
Components may include:
• Power distribution/control systems.
• Environmental control systems.
• Hardware and software.
• Information storage systems.
• Network and other communications.
• Security systems (physical and digital).
Resilient Design
•
Typical resilient designs implement some level of geographic dispersal.
• Split major data processing capabilities between sites.
• Typically means 100km or more between locations although this is not
always the case.
• Helps to alleviate the impact of natural disasters, power disruptions,
network connectivity or other local factors.
•
Separation of compute devices within a data centre is common.
• Separate any critical resilient infrastructure between racks, rows, rooms,
floors etc.
Resilient Design
•
Implementation of multiple network paths.
• Protects against cable, device or provider issues.
•
Hardware redundancy.
• Routers, switches, firewalls, IDS, servers, NIC teaming, load balancing.
•
Uninterruptable Power Supply (UPS).
• Short term battery backup for short outages, power surges/drops,
filtering.
• Generator systems for protection during longer outages.
Resilient Design
•
Storage redundancy.
• Protect against disk or server failure.
•
Diversity in technology used or vendors used.
• Less reliant on single brand or proprietary software/firmware.
RAID
•
Redundant Arrays of Inexpensive Disks (RAID).
• Very common solution involving various implementations of disk
systems.
RAID Level
Description
Benefit
Problem
0 – Striping.
Data is spread across all
drives in an array.
↑ performance.
100% use of space.
No fault tolerance(FT).
1 – Mirroring.
Data replicated to another
drive.
↑ read speed.
Single drive failure (SDF)
protection.
2 x storage.
5 – Striping with parity.
Data striped across drives,
one used for parity.
↑ reads, ↓ writes.
SDF protection.
Only SDF.
Rebuild is slow.
6 – Striping with double
parity.
Additional parity drive to
RAID 5.
↑ reads, ↓ writes.
Multiple DF protection.
↓ writes than RAID 5.
Rebuild slower.
10 – Mirroring and striping.
Data striped across 2+
drives then mirrored.
Combined per RAID 0 & 1.
Combined per RAID 0 & 1.
Backups
•
Backups and replications are very typical at any size organisation.
•
Common backup schemes include:
• Full – backs up everything selected.
• Incremental – backs up any changes since last backup.
• Differential – backs up any changes since last full backup.
•
Various forms of rotational schemes for backup media also:
• FIFO, grandfather, Tower of Hanoi.
• Snapshots are also commonly used in virtualized environments.
Backup Media
Tape.
Disks.
Optical.
• Low
cost/capacity
ratio.
• Robotic
systems
common.
• Magnetic or
solid state.
• Networked
Attached
Storage
(NAS).
• Storage Area
Network
(SAN).
• Blue-ray.
• Not
commonly
used in large
scale backup
systems.
Flash based
systems.
• Short term or
very small
backups.
Further Discussion
•
See text for further detail.
Physical Security
Physical Security
•
Addresses design, implementation, and maintenance of mechanisms that
protect physical resources of an organization.
•
Most other controls can be circumvented if attacker gains physical access.
• Physical security is as important as logical security.
• Often undervalued.
Source of Physical Loss
Temperature extremes.
Gases.
Liquids.
Organics.
Projectiles.
Movement.
Energy anomalies.
Responsibility is Shared
General
management.
IT management and
security staff.
• responsible for
facility security.
• responsible for
environmental and
access security.
Information Security
management and
professionals.
• perform risk
assessments and
implementation
reviews.
Physical Access Controls
•
Secure facility
– physical location engineered with controls designed to minimize risk of
attacks from physical threats.
•
Secure facility can take advantage of natural terrain, traffic flow, and degree
of urban development; can complement these with protection mechanisms
(fences, gates, walls, guards, alarms).
Physical Controls
•
Walls, fencing, and gates.
•
Mantraps.
•
Guards.
•
Electronic monitoring.
•
Dogs.
•
Alarms and alarm systems.
•
ID cards and badges.
•
Computer rooms and wiring
closets.
•
Locks and keys.
•
Interior walls and doors.
ID Cards and Badges
•
Ties physical security with information access control.
– ID card is typically concealed.
– Name badge is visible.
•
Serve as simple form of biometrics (facial recognition).
•
Should not be only means of control as cards can be easily duplicated,
stolen, and modified.
•
Tailgating occurs when unauthorized individual follows authorized user
through the control.
Locks and Keys
Two types of locks: mechanical and
electromechanical.
Locks can also be divided into four categories:
manual, programmable, electronic, biometric.
Locks fail and alternative procedures for controlling
access must be put in place.
Mantraps
Small enclosure that has entry point and different exit
point.
Individual enters mantrap, requests access, and if
verified, is allowed to exit mantrap into facility.
Individual denied entry is not allowed to exit until security
official overrides automatic locks of the enclosure.
Mantraps
Electronic Monitoring
•
Records events where other types of physical controls are impractical or
incomplete.
•
May use cameras with video recorders; includes CCTV systems.
•
Drawbacks.
– Reactive; do not prevent access or prohibited activity.
– Recordings often not monitored in real time; must be reviewed to have
any value.
Alarms and Alarm Systems
•
Alarm systems notify when an event occurs.
•
Detect fire, intrusion, environmental disturbance, or an interruption in
services.
•
Rely on sensors that detect event; e.g., motion detectors, smoke detectors,
thermal detectors, glass breakage detectors, weight sensors, contact
sensors, vibration sensors.
Data Halls & Wiring
•
Require special attention to ensure CIA of information.
•
Logical controls can be defeated if physical access to equipment is
available.
•
Custodial staff often the least scrutinized persons who have access to
offices; are given greatest degree of unsupervised access.
Interior Walls and Doors
•
Information asset security sometimes compromised by construction of
facility walls and doors.
•
Facility walls typically either standard interior or firewall.
•
High-security areas must have firewall-grade walls to provide physical
security from potential intruders and improve resistance to fires.
•
Doors allowing access to high security rooms should be evaluated.
Fire Security and Safety
•
Most serious threat to safety of people who work in an organization is
possibility of fire.
•
Fires account for more property damage, personal injury, and death than
any other threat.
•
Imperative that physical security plans examine and implement strong
measures to detect and respond to fires.
Fire Detection and Response
• Fire Suppression Systems.
– Monitor.
– Suppress fire through some form of retardant or extinguishing agent.
– Alert.
Fire Detection
•
Fire detection systems may be manual or automatic.
•
Part of a complete fire safety program includes individuals that monitor
chaos of fire evacuation to prevent an attacker accessing offices.
•
There are three basic types of fire detection systems.
– thermal detection.
– smoke detection.
– flame detection.
Fire Suppression
•
Systems consist of portable, manual, or automatic apparatus.
•
Portable extinguishers are rated by the type of fire.
•
Installed systems apply suppressive agents.
– usually either sprinkler or gaseous systems.
Gaseous Emission Systems
•
Used in specialized environments (data centers) where other systems are
not appropriate.
•
Two common sub-types of systems.
– ODS (Ozone Depleting Substances).
– SGG (Synthetic Greenhouse Gases).
•
Many gases are being phased out through legislative changes for
environment protection.
Limitations of
Gaseous Emission Systems
•
Chemicals that contain their own supply of oxygen, e.g. [C6H7(NO2)3O5]n
used in gunpowder & nail polish.
•
Mixtures containing oxidising chemicals, e.g. NaNO3.
•
Chemicals capable of undergoing auto-thermal decomposition.
•
Reactive metals, e.g. Na, K or Mg.
•
Areas where large surfaces are heated (not by a fire) to temperature that
breaks down the chemical structure of the extinguishing agent.
Utilities & Building Structure
Supporting utilities have significant impact on
continued safe operation of a facility.
Each utility must be properly managed to prevent
potential damage to information and information
systems.
HVAC
•
Areas within heating, ventilation, and air conditioning (HVAC) system that
can cause damage to information systems include:
–
–
–
–
Temperature.
Filtration.
Humidity.
Static electricity.
Ventilation Shafts
•
While ductwork is small in residential buildings, in large commercial
buildings it can be large enough for individual to climb though.
•
If vents are large, security can install wire mesh grids at various points to
compartmentalize the runs.
Water Problems
•
Lack of water poses problem to systems, including functionality of fire
suppression systems and ability of water chillers to provide air-conditioning.
•
Surplus of water, or water pressure, poses a real threat (flooding; leaks).
•
Very important to integrate water detection systems into alarm systems that
regulate overall facilities operations.
Structural Collapse
•
Unavoidable forces can cause failures of structures that house
organization.
•
Structures designed and constructed with specific load limits; overloading
these limits results in structural failure and potential injury or loss of life.
•
Periodic inspections by qualified civil engineers assists in identifying
potentially dangerous structural conditions.
Maintenance of Facility Systems
•
Physical security must be constantly documented, evaluated, and tested
•
Documentation of facility’s configuration, operation, and function should be
integrated into DR/BCP and operating procedures
•
Testing helps improve the facility’s physical security and identify weak
points
Inventory Management
•
Computing equipment should be inventoried and inspected on a regular
basis.
•
Classified information should also be inventoried and managed.
•
Physical security of computing equipment, data storage media and
classified documents varies for each organization.
Big Picture
•
Resilience is vital and can be implemented in any number of ways.
•
Resilience can be constrained by various factors.
•
Physical security is vital also.
•
Physical security responsibility is shared.
Thanks for watching!
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 9
Wireless & Mobile Security
Topic Reading
•
Chapter 13: Wireless and Mobile Security.
•
Interact content.
Wireless Security & Threats
Wi-FI Networks
•
Most common form of “wireless” networking.
Standard
Max Speed
Frequencies
802.11b
11 Mbps
2.4GHz
802.11a
65 Mbps
5 GHz
802.11g
54 Mbps
2.4GHz
802.11n
600 Mbps
2.4 & 5 GHz
802.11ac
6933 Mbps
5 GHz
802.11ax
9608 Mbps
2.4, 5, 6 GHz
Other Forms of Wireless
•
Bluetooth.
• Low power, short range (5-30m).
• 2.4 GHz.
•
Near-field Communication (NFC).
• Very short range (<50mm).
• Payment terminals biggest use.
•
Radio Frequency Identification (RFID).
• Short range (<1m up to ~100m).
Other Forms of Wireless
•
Infrared.
• Mainly used for controlling other systems.
• TV, VCD etc.
•
Global Positioning System (GPS).
• Not used for data transmission.
Advantages of Wireless
•
Lower costs associated with installation & operation.
•
Easy of installation.
•
Mobility.
•
Reliability.
• Damage to “wires” not possible.
•
Disaster Recovery.
• Similar to point above.
Disadvantages of Wireless
•
Security concerns.
• Ease of access, protocol/configuration weaknesses.
•
Installation challenges (although less than wired usually).
•
Transmission speeds.
• Standards much faster now but downshifting problematic in poor
coverage areas and when many clients are connected.
•
Coverage.
• Can be tricky to fine tune coverage areas to meet requirements due to
sources of interference.
Wireless Security Overview
•
Concerns for wireless security are similar to those found in a wired
environment
•
Security requirements are the same:
– confidentiality, integrity, availability, authenticity, accountability
– most significant source of risk is the underlying communications medium
Wireless Risks
Key factors contributing to higher security risk of wireless networks compared
to wired networks include:
• Channel
– Wireless networking typically involves broadcast communications, which
is far more susceptible to eavesdropping and jamming than wired
networks
– Wireless networks are also more vulnerable to active attacks that exploit
vulnerabilities in communications protocols
• Mobility
– Wireless devices are far more portable and mobile, thus resulting in a
number of risks
Wireless Risks 2
Key factors contributing to higher security risk of wireless networks compared
to wired networks include:
• Resources
– Some wireless devices, such as smartphones and tablets, have
sophisticated operating systems but limited memory and processing
resources with which to counter threats, including denial of service and
malware
• Accessibility
– Some wireless devices, such as sensors and robots, may be left
unattended in remote and/or hostile locations, thus greatly increasing
their vulnerability to physical attacks
Wireless Data Threats
•
There are many common threats and some are not exclusive to wireless.
•
The main difference between wired and wireless networks is that access is
much easier to get in the wireless domain.
•
The most serious threats to wireless networks are…..
Wireless Data Threats
•
Man-in-The-Middle (MiTM).
• Ease of access and ability to “hide” is key.
•
Password cracking & decryption.
• Brute force attacks on wireless security protocols.
• Assuming attacker has necessary resources.
•
Packet sniffers.
• Easy to capture large volumes of traffic for analysis and attack
preparation.
•
Emergency of new technologies (e.g. 5G) gives greater opportunity to
attackers.
Wireless Network Threat Example – Rogue AP
•
A rogue access point (rogue AP) is any wireless access point that has been
installed on a network's wired infrastructure without the consent of the
network's administrator or owner, thereby providing unauthorized wireless
access to the network's wired infrastructure. (Wikipedia)
•
Used by attackers:
• To gain unauthorised access/entry point into network.
• To collect information/traffic on target wireless networks and/or clients.
Rogue AP – Protection Against
•
Keep track of all your devices with accurate, up to date, network documentation.
•
Search for rogue APs with a laptop or handheld computer with Windows’ wireless application,
the wireless network adapter’s built-in software, or third-party applications.
•
If traffic from a rogue AP does enter your network, a NIDS or NIPS solution can be
instrumental in detecting and preventing that data and data that comes from other rogue
devices.
•
Organizations commonly perform site surveys to detect rogue APs, and other unwanted
wireless devices.
•
Older APs, especially ones with weak encryption, should be updated, disabled or simply
disconnected from the network.
Mobile Device Security
An organization’s networks must accommodate:
• Growing use of new devices.
– Significant growth in employee’s use of mobile devices.
• Cloud-based applications.
– Applications no longer run solely on physical servers in corporate data
centers.
Mobile Device Security 2
An organization’s networks must accommodate:
• De-perimeterization.
– There are a multitude of network perimeters around devices,
applications, users, and data.
• External business requirements.
– The enterprise must also provide guests, third-party contractors, and
business partners network access using various devices from a multitude
of locations.
Other Security Threats
Lack of physical
security controls
Use of untrusted
networks
Interaction with
other systems
Use of untrusted
mobile devices
Use of untrusted
content
Use of
applications
created by
unknown parties
Use of location
services
Securing Wireless Networks
Best Practices
Requirements
•
Choose security measures appropriate for your network.
•
Establish and document security policies.
•
Monitor and enforce compliance of policies without exception.
•
Monitor for evolving vulnerabilities and misconfigurations.
•
Monitor for wireless intrusion and attacks.
•
Include threat response and suppression tools.
Security Policy & Enforcement
•
Authentication & encryption are a must.
•
Consider 802.1x for authentication.
• Strong authentication.
• Many variants of EAP.
•
WPA2/3 & 802.11i.
•
VPN.
•
WIPS.
EAP
•
MD5 –Weakest of the possible EAP methods, provides negligible benefits over WEP.
•
LEAP –2-way authentication without using certificates but requires passwords and is thus
susceptible to dictionary attacks.
•
TLS – Provides a very secure solution, requires client certificates.
•
PEAP – Very secure. Uses TLS to create a secure tunnel where a second authentication
mechanism can be used. Requires server certificates.
•
TTLS – Very secure. Uses TLS to create a tunnel to avoid using client certificates.
•
FAST – Very secure. Creates a secure tunnel, then uses AAA server to authenticate the
server and client.
Big Picture
•
Wireless systems are extremely common.
•
Provide access to “unknown” clients.
•
Security is largely the same as for wired networks.
•
Danger is in volume of possible users.
•
Many varied technologies used in “wireless” communications.
Thanks for watching!
ITI581 CYBER SECURITY FUNDAMENTALS
Topic 10
Cloud & Virtualization Security
Topic Reading
•
Chapter 10: Cloud and Virtualization Security.
•
Interact content.
Cloud Computing
The “Cloud”
•
•
•
This can be an intimidating concept to comes to terms with but is really quite
simple.
Cloud Service Providers (CSP) simply provide business compute services via
the Internet.
Common cloud examples include:
• Google.
• Amazon Web Services.
• Microsoft Azure.
• Apple iCloud.
Cloud Definition
•
A more formal definition from NIST:
“Cloud computing is a model for enabling ubiquitous, convenient, on demand
network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with minimal
management effort or service provider interaction.”
Why use Cloud?
•
Benefits include:
•
On-demand self-service compute services.
•
Scalability.
– Vertical.
– Horizontal.
From page 385 of text.
Why use Cloud?
•
Benefits include:
•
Elasticity.
•
Measured Service.
•
Agility & Flexibility.
Cloud Roles
•
CSP
•
Consumers
•
Partners
•
Auditors
•
Carriers.
Service Models
•
All based on the acronym XaaS – meaning X as a Service.
•
IaaS – Infrastructure.
•
SaaS – Software.
•
PaaS – Platform.
•
FaaS – Function.
Deployment Models
•
Public Cloud.
• Typically thought of deployment model.
• Supports all XaaS models (multi-tenant model)
•
Private Cloud.
• Any cloud infrastructure deployed and used by a single customer.
•
Community Cloud.
• Shares characteristics of both Public and private cloud deployments.
– Multi-tenated to members of a specific community.
•
Hybrid Cloud.
• Catch all term for models that use all of the above.
Virtualization
Virtualized Machines
•
CSPs, and private companies, make extensive use of virtualized platforms.
•
Virtual host hardware run specialised operating systems (hypervisors).
•
Virtual Machines (VM) run on top of the hypervisor.
•
Virtual hosts can use “virtually” any regular operating system.
Hypervisors
•
Primary responsibility is enforce isolation between virtual machines.
•
Two types of Hypervisors:
• Type I, also known as bare metal hypervisors, operate directly on top of
the supporting hardware platform.
Hypervisors
•
Type II hypervisors run as an application of top of an existing operating
system.
Cloud Security Issues
Cloud Responsibilities
Cloud Security Issues
•
Availability
•
Data Sovereignty
•
Virtualization Security
•
Application Security
•
Governance and Auditing
Cloud Security Controls
Cloud Access Security
Brokers.
Software tools that serve as
intermediaries between users
and CSPs.
Resource Policies.
Policies that limit damage
caused accidentally or
maliciously.
Secrets Management.
Special purpose compute
modules that manage
encryption.
Cloud Security Controls
Security groups
Security groups define permitted traffic
(similar to firewall rules). These can be
enforced at various points within the cloud
environment.
Microsegmentation
Microsegmentation – similar to security
groups – but can be very granular when
implementing permitted communication
between VMs. Enforced at hypervisor.
Availability zones
Can specify where resources will be
deployed (to enforce diverse locations
and redundancy)
Big Picture
•
Cloud computing brings many challenges with it.
•
Responsibility for security is shared and distributed.
•
Control is potentially difficult.
Congratulations…you have reached the end!