Cyber Security Crash Course John Wallhoff (CISA, CISM, CISSP) Scillani Information AB Cyber security crash course ’15 by John Wallhoff ([email protected])
Cyber Security Crash Course John Wallhoff (CISA, CISM, CISSP) Scillani Information AB
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
1"
Disclaimer
This session is a crash course
NOT
a case study presentation
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
64DCDC(hex colorcode)
CYBER
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
2"
John Wallhoff (CISA, CISM, CISSP)
Wife
+ Son &
Daughter
Degree of bachelor of
science in business administration
and economics
Specialisation entrepreneurship
ERP (6 years)
Accounting and Finance
(2 years)
IT audit & Analytics (3 years)
Security (2 years)
Entrepreneur (12 years)
Scillani
Information
Fraud & Corruption Analytics Security ITSM
itSMF member since 2004
Boardmember itSMF Sweden
2006-2012 Chairman itSMF
Sweden 2010-2012
Your guide and his journey
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Cyber security crash course
Understand the basics
Enable resistance
Use technology
Incident response
Manage & Govern
Test – Cyber secruity crash course ‘15
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
3"
Not covered today Cyber security related:
! RESILIA (Axelos)
! CSX (ISACA)
! Framework for Improving Critical Infrastructure Cybersecurity (NIST)
Information security related:
! ISO/IEC 27000 series
! Standard of Good Practice for Information Security (ISF)
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Let’s get started
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
4"
What is cyber security ! ”Framework for Improving Critical Infrastructure Cybersecurity” (NIST - National Institute of Standards and Technology, February 12, 2014)
! The process of protecting information by preventing, detecting, and responding to attacks.
! ”CSX - Cyber Security Nexus – Cybersecurity Fundamentals” (ISACA, Study Guide 2015)
! The protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.
! ” ITU-T X.1205, Overview of cybersecurity” (TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU, 18 April 2008)
! Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Definition Information security
Confidentiality
Integrity
Availability
is the protection of information
from unauthorized
access or disclosure.
is the protection of information
from unauthorized modification.
ensures the timely and
reliable access to and use of
information and systems.
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
5"
What is risk Risk = Probability * Consequence
(Risk = Likelyhood * Impact) ! Risk assessment(2): A process used to identify and evaluate risk and its potential effects. Risk
assessments are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan. Risk assessments are also used to manage the project delivery and project benefit risk.
! Risk management(2): The coordinated activities to direct and control an enterprise with regard to risk. In the International Standard, the term “control” is used as a synonym for “measure.”
! Risk treatment(2): The process of selection and implementation of measures to modify risk
! Risk acceptance(1): If the risk is within the enterprise’s risk tolerance or if the cost of otherwise mitigating the risk ishigher than the potential loss, the enterprise can assume the risk and absorb any losses.
! Residual risk(1): The remaining risk after management has implemented a risk response
Source: (1) ISO/IEC Guide 73:2002, (2) CSX - Cyber Security Nexus – Cybersecurity Fundamentals”, ISACA, Study Guide 2015
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Threat and Vulnerabilities ! Threat (1)
! Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.
! Vulnerability (2)
! A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events
Source: (1) ISO/IEC Guide 73:2002, (2) CSX - Cyber Security Nexus – Cybersecurity Fundamentals”, ISACA, Study Guide 2015
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
6"
Types of attacks ! Advanced persistent threats
(APT)
! Backdoor
! Buffer overflow
! Cross-site scripting (XSS)
! Denial-of-service (DoS) attack
! Man-in-the-middle attack
! Social engineering
! Phishing
! Spoofing
! Structured Query Language (SQL) injection
! Zero-day exploit
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Types of malicious code ! Viruses
! Network worm
! Trojan horses
! Botnets
! Keylogger
! Rootkit
! Spyware
! Adware
! Ransomware
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
7"
The Firewall ! The role ! Block access
! Limit traffic
! Prevent users
! Monitor communication
! VPN tunnel between servers in the organisation
! Types ! Packet filtering
! Application firewall
! Stateful inspection
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Encryption ! Two types of cryptographic systems ! Symmetric Key Systems—These use single, secret,
bidirectional keys that encrypt and decrypt
! Asymmetric Key Systems—These use pairs of unidirectional, complementary keys that only encrypt or decrypt. Typically, one of these keys is secret, and the other is publicly known.
! The strength of encryption depends upon ! Crypto design
! Length of the encryption key
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
8"
Encryption ! Examples of encryption and how it is used ! Public Key Infrastructure (PKI)
! Advanced Encryption Standard (AES)
! Wi-Fi Protected Access (WPA)
! Secure Sockets Layer (SSL)
! Secure Shell (SSH)
! Internet Protocol Security (IPSec)
! Pretty Good Privacy (PGP)
! Challange-response authentication
! Digital signatures
! Hard disk and file encryption
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
The security architecture ! The security perimiter ! System-centric, placing controls at the network and
system levels to protect the information stored within
! Data-centric, protection of data regardless of its location
! Internet perimeter ! Route traffic, Prevent, Monitor, Detect activity,
Control traffic, Identify/block, Eliminate threats, Filtering
Source: CSX - Cyber Security Nexus – Cybersecurity Fundamentals”, ISACA, Study Guide 2015
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
9"
The security architecture ! Virtual local area networks (VLANs)
! Configuration at port level on a switch to enable devices attached to communicate
! Security zones ! Creating separate zones that require more grannular
control
! Demilitarized zone (DMZ) ! A Network segment that is located between the
protected and the unprotected
! Honey pot ! Decoy servers or systems setup to gather information
regarding an attacker or intruder
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
The security architecture ! Intrusion detection systems (IDS)
! Monitoring the events occurring in a computer system or network to detect signs of unauthorized access or attack.
! Log servers ! Capturing log data on dedicated servers
! Antivirus protection ! Protection that blocks and remove viruses and malware
! Whitelisting ! A list of services and access that is accepted to use/
access
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
10"
Incident response
Source: (1) : ITIL v3 Handbook (2): SS-ISO_IEC_27002_2014
Inc
ide
nt m
an
ag
em
en
t ISO 27K
2)
Incident identification
Incident logging
Incident categorisation
Incident prioritisation
Initial diagnosis
Escalation?
Investigation and diagnosis
Resolution and recovery
Incident closure
Major incident?
Inc
ide
nt
ma
na
ge
me
nt
ITIL
1)
Collecting evidence
Log
gin
g o
f ac
tivities
Communicating incident
Dealing with weakness(es)
Closing and recording
Forensics analysis?
Escalation?
What to be concidered
a) ineffective security control; b) breach of information
integrity, confidentiality or availability expectations
c) human errors d) non-compliances with
policies or guidelines e) breaches of physical security
arrangements f) uncontrolled system
changes; g) malfunctions of software or
hardware h) access violations Malfunctions or other anomalous system behaviour may be an indicator of a security attack or actual security breach and should therefore always be reported as an information security event.
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Event or incident to security
Warning
Information Log
Alert
Auto response
Incident Problem Change
Change
Problem
Incident
Exception
Filter Event
Security incident
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
11"
Digital Forensics Definition:
Process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e., a court of law) 1)
) McKemmish, D. Rodney. Computer and Intrusion Forensics, Artech House, USA, 2003: ”The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e., a court of law)”
Identify Preserve Analyze Present
Data Protection Data
Acquisition Imaging Extraction Normalization
Reporting Network Traffic
Analysis Log File Analysis
Digital Forensic Tools
Time Lines Anti-forensics
Forensic Chain of Events
Forensic Chain of Events: Key elements
Interrogation
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Incidents and crisis
Incident
Major Incident
Disturbance
Disruption
Crisis
Incident procedures
External events
Continuity plans Recovery plans
Major incident procedures
IT and digital assets (Cyber security)
The Organisation (Information security)
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
12"
Continuity planning
IT operations internally • Resources and key
compentence • Internal SLA and OLA
Implement Implement solutions,
assign responsibilies and roles, test
Follow up Verify if plans are
effective/efficient, incident
analysis
Continuity- planning
Organisation related continuity planning
IT related continuity planning
Crisis management
IT operations outsourced • Analysis of your priority,
ensure routes of information • SLA & penalties in contracts
Cloud services • Analys of dependencies,
identify routes of information • Standard contracts and SLA
Dependencies to concider:
For all continuity planning: Relevant and continous communication to employees, customers and stakeholders !
Plan Identify and
asses risks and assets,
create detailed
plans
Improve Processes,
People, Technology,
Partners
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Taking into account
Source: CSX - Cyber Security Nexus – Cybersecurity Fundamentals” (ISACA, Study Guide 2015), (2) http://www.opscentre.com.au/blog/tag/maximum-tolerable-outage/
RPO Recovery point objective Determined based on the acceptable data loss in case of a disruption of operations (1)
RTO Recovery time objectives
The amount of time allowed for the recovery of a business function or resource
after a disaster occurs (1)
Disturbance _
Disruption
MTO Maximum Tolerable Outages
The maximum amount of time a system or resource can remain unavailable before its loss starts to have an unacceptable impact
on the goals or the survival of an organisation (12)
SDO Service Delivery Objectives Directly related to the business needs, is the level of services to be reached during the alternate process mode until the normal situation is restored (1)
BIA Business Impact Analysis
Evaluating the criticality and sensitivity of information
assets (1)
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
13"
(Cyber security) strategy
Source: Cobit 5, Enabling processes
Organisation
Understand where the organsation is and its direction
Target
Assess current environment,
capabilities and performance
Define the target IT capability
Current situation
Do a gap analysis
Communication
Communicate strategy and
direction
Plan
Define a strategic plan
and action plan
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Information security policy The information security policy should contain statements concerning:
a) definition of information security, objectives and principles to guide all activities relating to information security
b) assignment of general and specific responsibilities for information security management to defined roles;
c) processes for handling deviations and exceptions.
At a lower level, the information security policy should be supported by topic-specific policies
Source: SS-ISO/IEC 27002:2014
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
14"
Policies structure
Source: SS-ISO/IEC 27002:2014
Organisational policy
Issue specfic policy
Focus on operations Focus on technology Focus on users
Information security policy
Access control policy
Mobile devices
Teleworking Use of cryptographic controls
Key management (cryptographic)
Clear desk and clear screen
Personally identifiable information
Restrictions on software installations and use Backup
Supplier relationships
Secure development
Communications security
Use of networks and network services
Record retention
Maintaining appropriate licence
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Operational procedures ! Vulnerability scanning
! Search for known vulnerabilities
! Penetration testing ! Identifying existing vulnerabilities and then using common exploit
methods to: ! Confirm exposures ! Assess the level of effectiveness and quality of existing security
controls ! Identify how specific vulnerabilities expose IT resources and assets ! Ensure compliance
! Systems monitoring ! Continual oversight over performance and events
! Security audits ! 3rd party audit of products, processes, people and partners
Source: SS-ISO/IEC 27002:2014
Understand the basics
Enable resistance Use technology Incident response Manage & Govern
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
15"
Last words to guide you Security Architecture
! Create an arcitecture with processes/procedures that will enable the organisation to prevent and/or minimize the impact from intrusion, errors and misstakes
! Require skills in technology and process/procedures
Investigation readiness ! Create and maintain the
capability to understand charataristics of suspicious activities, disruption and disturbances to be able to act in an effective and efficient manner.
! Require interaction with legal and authorities
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
Cyber security crash course
Test – Cyber secruity crash course ‘15
Are you read for the test ?
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)
See you again John Wallhoff (CISA, CISM, CISSP) Management consultant / Expert advisor Fraud & Corruption – Analytics - Information & Cyber security – IT Service Management
Scillani Information AB Ekgatan 6, SE 230 40 BARA, Sweden - Vestergade 16, DK 1456 COPENHAGEN, Denmark E-mail: [email protected] Linkedin: http://www.linkedin.com/pub/john-wallhoff/1/48b/a69 Skype: john.wallhoff Webb: www.scillani.se Mobile: +46 (0)707 743131 Phone: +46 (0)40 543131
Cyb
er se
cu
rity cra
sh c
ou
rse ’15 b
y Joh
n W
allh
off (jo
hn
.wa
llho
ff@sc
illan
i.se)