BUSI 3405 - Week 8: IT Security

Data

Facts, stats, or information collected and stored in a form that is processable by computers - can be quantitative or qualitative

Services

Delivery of value to customers by facilitating outcomes customers want to achieve without ownership of specific costs and risks

Through services, customers can achieve certain outcomes, minus the…

Ownership of specific costs and risks

Primary concepts of data (3)

Confidentiality, integrity, and availability

Confidentiality

Prevention of unauthorized disclosure of information

Integrity

Ensuring info is protected from authorized or unintentional alternation, modification, or deletion

Availability

Ensures that info is readily accessible to authorized users

5 common types of attacks

-DDOS

-Malware attacks

-SQL injection

-Man in the middle

-Email attacks

DDOS

Attacks aim to overwhelm system, server or network with traffic, making it unavailable to its intended users

MitM attacks

Attackers intercept and alter communication between two parters without their knowledge

Email malware

Malicious software including viruses, worms, and Trojans, designed to damage, disrupt, or gain unauthorized access to computer systems (can delete files, steal data, or encrypt data)

Email phishing

Sending fraudulent emails or messages that appear to be from reputable sources to trick people into sharing sensitive information

Social engineering/spoofing

Manipulating individuals into performing actions or divulging confidential information - exploits human psychology rather than technical vulnerabilities

Virus

Type of malware that attaches itself to a legitimate program or document and can replicate itself - can corrupt or modify files

Worm

Worm can replicate itself (similar to a virus), but does so across a network, without needing to attach to a specific program

Trojan Horse

Deceptive type of malware that disguises itself as a legitimate and harmless software - do not replicate themselves but can perform malicious actions

Ransomware

Encrypts victim’s data and demands a ransom for the decryption key

Spyware

Spies on user’s activities and collects information secretly

Adware

Intrusive but less harmful - unwanted advertisements

Rootkit

Designed to gain unathorized root or administrative access to a computer - hard to detect

Keylogger

Records keystrokes made on a computer - steal passwords, credit card numbersB

Botnet

Network of infected computers, called bots, controlled by a third party - used to perform large-scale activities like DDoS attacks, spamming, crypto mining

Fileless malware

Unlike traditional malware, fileless malware doesn’t rely on files and resides in a computer’s memory

Sources of malware (6)

1. Removable media

2. Documents and executable files

3. Internet downloads

4. Network connections

5. Email attachments

   1. Malicious advertisements

Insider threats

Involve individuals within the organization who have access to sensitive information and systems - can be intentional or unintentional

Zero-Day Exploit

Attackers exploit a security vulnerability before the software vendor has issued a patch for it - unknown vulnerabilities

Security incident

Event that leads to violation of an organization’s security policies and puts sensitive data at risk of exposure

Security incident is a broad term that includes…

Malware infection, unauthorized access, insider breaches, DDOS attacks, loss of equipment, destructive attacks…

Breach

Impermissible use or disclosure that compromises the security or privacy of information

How can data breaches occur?

• Person gaining unauthorized access to a system that contains sensitive data

• Loss or theft of device or physical documents that contain electronic personal data

• Corruption of sensitive data (e.g., ransomware attack) that affects availability of personal data

HIPAA Breach Notification Rule risk assessment

• Nature and extent of affected personal health info

• Who gained unauthorized access

• Whether anyone actually viewed or acquired the PHI

• Extent to which risk has been mitigated

When a security incident occurs, orgs need to conduct a multi-factor risk assessment to determine..

Whether it was a data breach

How to defend against attacks

• Identify

• Protect

• Detect

• Respond

• Recover

Identify

Develop organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities

Protect

Implement safeguards to ensure delivery of critical infrastructure services

Detect

Identify occurrence of a cybersecurity event

Respond

Take action regarding a detected cybersecurity incident

Recover

Maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity incident

Traditional IT security methods

• Applying list of controls

• Using generic security framework to decide what to secure

• Consider as separate IT practice

• Considered or applied at end of design process

Why is control critical?

• Attacks can take advantage of new hardware that is not yet configured and patched with appropriate security updates

• Devices that are not visible from the Internet can be used by attackers who have already gained internal access

• Additional systems that connect to the enterprise’s network should also be managed carefully and/or isolated

• Large, complex enterprises struggle with the challenge of managing intricate, fast-changing environments

• Attackers have shown patience, ability, and willingness to “inventory and control” our assets at a very large scale in order to support their opportunities

Preventative controls

Prevent security violations and enforce access control

Detective controls

Detect security violations and alert defenders - come into play when preventative controls have failed or have been circumvented

Corrective controls

Try to correct the situation after security violation has occurred

Deterrent controls

Intended to discourage potential attackers and send the message that it is better not to attack and that we can defend ourselves

Recovery controls

Similar to corrective controls, but applied in more serious situations to recover from security violations and restore information

Compensating controls

Alternative arrangements for other controls when the original controls have failed and cannot be used

Why aren’t control frameworks enough?

• Do not provide security teams with enough structure for detailed roadmap planning

• May not adequately describe organizational risk or may be simply paying lip service to them

• Do not always reflect evolution in business, IT or security technologies

EA’s role in cybersecurity

• Strategic alignment between cybersecurity and organization’s overall objectives and processes

• EA helps manage cyber risks

• Organizations can establish robust governance structure through governance and compliance

• EA enables integration of security solutions across organization

• EA is instrumental in developing information security architecture that aligns with the overall enterprise architecture

Security architecture frameworks can be used successfully in conjunction with…

Security architecture methodologies

Recommendations for implementation

• Adopt security architecture thinking

• Start your security architecture evolution

• Create your security architecture

• Maintain live security architecture

What is a mixed approach to security architecture?

Combining methodology and framework approach - organization needs support identifying security business needs & organization wants to use NIST CSF to help define logical security architecture

What is a good way to help project teams understand the fundamental expectations for security in their deployment?

Designing and constructing security reference architectures

When aligning SA to business needs, it is important to consider…

• Risk appetite of the organization

• Business and services being done

• What is valuable

Security architecture can forget to..

Incorporate business goals and instead focus on ultimate security

SA must align with organizational governance because…

It provides security architecture’s authoritative enterprise bounds

Principle of least privilege

Do not give any more privileges than absolutely necessary to do the required job

Defense in depth

More than one layer of defense - 2+ layers are more difficult to breach, and works best when you combine 2+ different types of defense mechanisms

Minimization

Do not run any software, applications, or services that are not strictly required to do the entrusted job (mostly applies to system configuration)

Cost-benefit analysis

Overall benefits received from a particular security control or mechanism should cleary exceed its total costs; otherwise, implementing it would make no sense

Segmentation

Use of compartments - principle that limits damage and protects other compartments when software in one compartment is malfunctioning or compromised

Keeping things simple - importance

Complex systems are inherently more insecure because they are difficult to design, implement, test, and score

It’s important to draw the line between avoidable complexity and…

Unavoidable complexity - do not sacrifice security for bells and whistles

Failing securely

If a security measure or control has failed for whatever reason, the system is not rendered to an insecure state

Examples of failing securely

• If a fireall fails, it should default to “deny all”, not “permit all”

• Computer-controlled building access control system - in case of fire, sytem should default to “open doors”

Securing the weakest link - importance

Software security system is only as secure as its weakest component - identify and strengthen weak linkes until an acceptable level of risk is achieved

Using choke points

Logical narrow channels that can be easily monitored and controlled

Leveraging unpredictability

Do not publicize details of your security measures and defneses

Deterrent controls don’t provide details of defenses, instead, they..

Merely announce their existence so as to deter potential attackers without giving them detailed information that later may be used against defenders

Segregation of duties

Avoid possibility of a single person being responsible for different functions within an organization so that no single person should be able to violate security (e.g., rotation of duties)

Thread modeling components

• Assets

• Vulnerabilities

• Threat

• Attack

Threat modeling

Process by which potential threats can be identified and mitigations can be provided

Zero trust security model

IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network parameter

Key principles of Zero Trust

• Strict identification required for every person and device

• No users or machines are automatically trusted

• Least-privilege access

• Microsegmentation

• Multifactor authentication

• Strict controls on device access

Multi-factor authentication

Requiring more than one piece of evidence to authenticate a user