Chapter 11 Network Security

Threats and Control: Why the Big Concern with Cybersecurity

• Rise of ubiquity and connectivity (computing is EVERYWHERE)

  • From a tech perspective, internet architecture was not built to incorporate security standards

• Ease of cybercrime

  • Moved from hobby, now it’s prof criminal behavior

• Increase in profile of targets

  • Hacktivism (trying to take down a site)

• Increase in value of data and digital property

  • Enormous economic loss = avg data breach 3.5 mil

• Lagging nature of law enforcement

• Industry cyber regulations

CIA goals

Three goals in network security CIA!

• Confidentiality: protection from DISCLOSURE

  • data seen only by certain people

• Integrity: data ASSURANCE

  • make sure data hasn’t been tampered with

• Availability: CONTINOUS OPERATION

  • making sure everything is running!

Two Broad Threats to CIA

Business Continuity: making certain your org can withstand disruptions, destruction, and disasters (plan in org on how to deal with threats to availability)

• this is a threat to AVAILABILITY

Preventing Unauthorized Access (intrusion): unauthorized entities gaining access and potential stealing, changing or destroying data

• threat to CONFIDENTIALITY AND INTEGRITY

• keep authorized people out of your network

Network Controls

To counter threats we put controls in place (ex: traffic control think lights)

• they can be hardware, software, rules, and/or procedures

  • NOT REACTIVE and put in ahead of time

Help network be safe!!

Preventative Controls

Mitigate adverse events

• can act as a deterrent

  • EX: Insurance, username + password

STRONGEST

Detective Controls

Discover unwanted events

• can alert or correct

  • EX: People making sure people don’t get into your network

Corrective Controls

Fix an unwanted event

• Autonomous, code fixing unwanted event NOT HUMAN

How do you know what to secure??

Need to Analyze and Prioritize what to secure and how much to spend securing it

• PERFORM A RISK ASSESSMENT

which systems are at high risk vs. low risk, high value vs. low value

FIVE STEPS TO RISK ASSESSMENT

1. Develop a risk assessment criteria

2. Inventory IT/IS assets

3. Identify Threats

4. Document existing controls

5. Identify improvements

Common risk assessment frameworks to use to conduct an assessment

OCTAVE [CERT]; COBIT [ISACA]; NIST RMF; DoD RMF; FAIR; ISO stds

Develop Risk Assessment Criteria

Measures to evaluate how a security threat will affect the organization

• Financial

• Productivity

• Reputation

• Safety

• Legal

Which ones are catastrophic and probable?? Then you rank them based on how much damage it will do to the org.

Inventory IT ASSESTS

Need to identify the most important applications and data to the org and plan to PROTECT them

• need to rate the level of importance of each asset to the org

SIX ASSET TYPES (most common)

• hardware, circuits, network software, client software, org data, mission-critical applications

EX: data asset might be most important

Identify Threats

Several types of threats (EX: malware, natural disaster)

• level depends on mission and visibility of your company/org

Create Threat Scenarios: how what types of threats would impact the org to what level

• determine the likelihood of it and then calculate the impact score

Document Existing Controls

Based on the risk score, you develop a RISK CONTROL STRATEGY

four ways to mitigate risk

• Accept risk: low impact, low cost

  • EX: investing

• Mitigate risk: institute controls

  • EX: a manufacturing company replacing a toxic chemical with a safer alternative to reduce health and environmental hazards.

  • Seatbelts

• Share risk: insurance

• Defer risk

Identifying Improvements

Risk assessment is an ongoing process

• KEEP ASSESSING

  • A program NOT a project

Ensuring Business Continuity

How well the business stays continuous

Make certain the ORG keeps Operating

• Virus Protection = malware

• Denial of Service Protection = traffic analysis

• Threat Protection = physical security

• Device Failure Protection = redundancy

• Disaster Protection = business continuity planning to recover from disaster

These are PREVENTIVE

Intrusion Prevention

REACTIVE!

Who are the intruders?

• Casual Intruders: run network scans, have limited knowledge abt computers

• Knowledgeable thrill-seekers: Hackers: break in while they can; Pre Tester: break into an org, paid by that org to do it (makes sure it’s secure)

• Professional Attackers: Looking to get into your network for profit (VERY BAD!)

  • target orgs, use types of attacks

  • ADVANCED PERSISTANT THREATS

• Insider Threat Intruders: MOST DANGEROUS

  • Have legitimate access to the network (an employee) who gains access to info that they shouldn’t have

ADVANCED PERSISTANT THREATS (APT)

Professional attackers use this

• An accident within the network will just let these people through!

Long-term cyberattack where a skilled intruder or group of intruders gains unauthorized access to a network and remains undetected for an extended period

How to keep intruders OUT!

• security policies (Duo)

• perimeter security and firewalls (server sits at the edge of networks)

  • types of firewalls

• physical security (badges)

• Server and Client Protection (being able to wipe a phone if need be)

• encryption: asymmetric and symmetric (what and what not)

• User Authentication (username + password)

• Social Engineering Prevention (send emails, never send password through your email)

• Intrusion Prevention Systems (IPS: work with AI, respond in real time)

This is how to enforce CIA!

Best Practice

• Clear security policy (employees sign an agree form)

• Clear disaster recovery plan (know what to do if your network goes down ex: have a backup somewhere else)

• User Training

• Two-Factor authentication (username + password and then Duo)

• Encryption

• Continuous Management (make sure its happening)