Cyber Security Crash Course - itSMF Finland security crash course Understand the basics Enable resistance Use technology Incident response Manage & Govern Test – Cyber secruity crash

Cyber Security Crash Course John Wallhoff (CISA, CISM, CISSP) Scillani Information AB

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

1"

Disclaimer

This session is a crash course

NOT

a case study presentation

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

64DCDC(hex colorcode)

CYBER

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

2"

John Wallhoff (CISA, CISM, CISSP)

Wife

+ Son &

Daughter

Degree of bachelor of

science in business administration

and economics

Specialisation entrepreneurship

ERP (6 years)

Accounting and Finance

(2 years)

IT audit & Analytics (3 years)

Security (2 years)

Entrepreneur (12 years)

Scillani

Information

Fraud & Corruption Analytics Security ITSM

itSMF member since 2004

Boardmember itSMF Sweden

2006-2012 Chairman itSMF

Sweden 2010-2012

Your guide and his journey

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Cyber security crash course

Understand the basics

Enable resistance

Use technology

Incident response

Manage & Govern

Test – Cyber secruity crash course ‘15

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

3"

Not covered today Cyber security related:

!  RESILIA (Axelos)

! CSX (ISACA)

!  Framework for Improving Critical Infrastructure Cybersecurity (NIST)

Information security related:

!  ISO/IEC 27000 series

!  Standard of Good Practice for Information Security (ISF)

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Let’s get started

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

4"

What is cyber security !  ”Framework for Improving Critical Infrastructure Cybersecurity” (NIST - National Institute of Standards and Technology, February 12, 2014)

!  The process of protecting information by preventing, detecting, and responding to attacks.

!  ”CSX - Cyber Security Nexus – Cybersecurity Fundamentals” (ISACA, Study Guide 2015)

!  The protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.

!  ” ITU-T X.1205, Overview of cybersecurity” (TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU, 18 April 2008)

!  Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.


Enable resistance Use technology Incident response Manage & Govern

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Definition Information security

Confidentiality

Integrity

Availability

is the protection of information

from unauthorized

access or disclosure.

is the protection of information

from unauthorized modification.

ensures the timely and

reliable access to and use of

information and systems.



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

5"

What is risk Risk = Probability * Consequence

(Risk = Likelyhood * Impact) !  Risk assessment(2): A process used to identify and evaluate risk and its potential effects. Risk

assessments are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan. Risk assessments are also used to manage the project delivery and project benefit risk.

!  Risk management(2): The coordinated activities to direct and control an enterprise with regard to risk. In the International Standard, the term “control” is used as a synonym for “measure.”

!  Risk treatment(2): The process of selection and implementation of measures to modify risk

!  Risk acceptance(1): If the risk is within the enterprise’s risk tolerance or if the cost of otherwise mitigating the risk ishigher than the potential loss, the enterprise can assume the risk and absorb any losses.

!  Residual risk(1): The remaining risk after management has implemented a risk response

Source: (1) ISO/IEC Guide 73:2002, (2) CSX - Cyber Security Nexus – Cybersecurity Fundamentals”, ISACA, Study Guide 2015



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Threat and Vulnerabilities !  Threat (1)

!  Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.

! Vulnerability (2)

!  A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

Source: (1) ISO/IEC Guide 73:2002, (2) CSX - Cyber Security Nexus – Cybersecurity Fundamentals”, ISACA, Study Guide 2015



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

6"

Types of attacks ! Advanced persistent threats

(APT)

!  Backdoor

!  Buffer overflow

! Cross-site scripting (XSS)

! Denial-of-service (DoS) attack

! Man-in-the-middle attack

!  Social engineering

!  Phishing

!  Spoofing

!  Structured Query Language (SQL) injection

!  Zero-day exploit



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Types of malicious code ! Viruses

!  Network worm

!  Trojan horses

!  Botnets

!  Keylogger

!  Rootkit

!  Spyware

!  Adware

!  Ransomware



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

7"

The Firewall !  The role !  Block access

!  Limit traffic

!  Prevent users

!  Monitor communication

!  VPN tunnel between servers in the organisation

!  Types !  Packet filtering

!  Application firewall

!  Stateful inspection



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Encryption !  Two types of cryptographic systems !  Symmetric Key Systems—These use single, secret,

bidirectional keys that encrypt and decrypt

!  Asymmetric Key Systems—These use pairs of unidirectional, complementary keys that only encrypt or decrypt. Typically, one of these keys is secret, and the other is publicly known.

!  The strength of encryption depends upon !  Crypto design

!  Length of the encryption key



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

8"

Encryption !  Examples of encryption and how it is used !  Public Key Infrastructure (PKI)

!  Advanced Encryption Standard (AES)

!  Wi-Fi Protected Access (WPA)

!  Secure Sockets Layer (SSL)

!  Secure Shell (SSH)

!  Internet Protocol Security (IPSec)

!  Pretty Good Privacy (PGP)

!  Challange-response authentication

!  Digital signatures

!  Hard disk and file encryption



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

The security architecture !  The security perimiter !  System-centric, placing controls at the network and

system levels to protect the information stored within

!  Data-centric, protection of data regardless of its location

!  Internet perimeter !  Route traffic, Prevent, Monitor, Detect activity,

Control traffic, Identify/block, Eliminate threats, Filtering

Source: CSX - Cyber Security Nexus – Cybersecurity Fundamentals”, ISACA, Study Guide 2015



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

9"

The security architecture !  Virtual local area networks (VLANs)

!  Configuration at port level on a switch to enable devices attached to communicate

!  Security zones !  Creating separate zones that require more grannular

control

!  Demilitarized zone (DMZ) !  A Network segment that is located between the

protected and the unprotected

!  Honey pot !  Decoy servers or systems setup to gather information

regarding an attacker or intruder



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

The security architecture !  Intrusion detection systems (IDS)

!  Monitoring the events occurring in a computer system or network to detect signs of unauthorized access or attack.

!  Log servers !  Capturing log data on dedicated servers

!  Antivirus protection !  Protection that blocks and remove viruses and malware

!  Whitelisting !  A list of services and access that is accepted to use/

access



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

10"

Incident response

Source: (1) : ITIL v3 Handbook (2): SS-ISO_IEC_27002_2014

Inc

ide

nt m

an

ag

em

en

t ISO 27K

2)

Incident identification

Incident logging

Incident categorisation

Incident prioritisation

Initial diagnosis

Escalation?

Investigation and diagnosis

Resolution and recovery

Incident closure

Major incident?

Inc

ide

nt

ma

na

ge

me

nt

ITIL

1)

Collecting evidence

Log

gin

g o

f ac

tivities

Communicating incident

Dealing with weakness(es)

Closing and recording

Forensics analysis?

Escalation?

What to be concidered

a)  ineffective security control; b)  breach of information

integrity, confidentiality or availability expectations

c)  human errors d)  non-compliances with

policies or guidelines e)  breaches of physical security

arrangements f)  uncontrolled system

changes; g)  malfunctions of software or

hardware h)  access violations Malfunctions or other anomalous system behaviour may be an indicator of a security attack or actual security breach and should therefore always be reported as an information security event.



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Event or incident to security

Warning

Information Log

Alert

Auto response

Incident Problem Change

Change

Problem

Incident

Exception

Filter Event

Security incident



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

11"

Digital Forensics Definition:

Process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e., a court of law) 1)

) McKemmish, D. Rodney. Computer and Intrusion Forensics, Artech House, USA, 2003: ”The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e., a court of law)”

Identify Preserve Analyze Present

Data Protection Data

Acquisition Imaging Extraction Normalization

Reporting Network Traffic

Analysis Log File Analysis

Digital Forensic Tools

Time Lines Anti-forensics

Forensic Chain of Events

Forensic Chain of Events: Key elements

Interrogation



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Incidents and crisis

Incident

Major Incident

Disturbance

Disruption

Crisis

Incident procedures

External events

Continuity plans Recovery plans

Major incident procedures

IT and digital assets (Cyber security)

The Organisation (Information security)



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

12"

Continuity planning

IT operations internally •  Resources and key

compentence •  Internal SLA and OLA

Implement Implement solutions,

assign responsibilies and roles, test

Follow up Verify if plans are

effective/efficient, incident

analysis

Continuity- planning

Organisation related continuity planning

IT related continuity planning

Crisis management

IT operations outsourced •  Analysis of your priority,

ensure routes of information •  SLA & penalties in contracts

Cloud services •  Analys of dependencies,

identify routes of information •  Standard contracts and SLA

Dependencies to concider:

For all continuity planning: Relevant and continous communication to employees, customers and stakeholders !

Plan Identify and

asses risks and assets,

create detailed

plans

Improve Processes,

People, Technology,

Partners



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Taking into account

Source: CSX - Cyber Security Nexus – Cybersecurity Fundamentals” (ISACA, Study Guide 2015), (2) http://www.opscentre.com.au/blog/tag/maximum-tolerable-outage/

RPO Recovery point objective Determined based on the acceptable data loss in case of a disruption of operations (1)

RTO Recovery time objectives

The amount of time allowed for the recovery of a business function or resource

after a disaster occurs (1)

Disturbance _

Disruption

MTO Maximum Tolerable Outages

The maximum amount of time a system or resource can remain unavailable before its loss starts to have an unacceptable impact

on the goals or the survival of an organisation (12)

SDO Service Delivery Objectives Directly related to the business needs, is the level of services to be reached during the alternate process mode until the normal situation is restored (1)

BIA Business Impact Analysis

Evaluating the criticality and sensitivity of information

assets (1)



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

13"

(Cyber security) strategy

Source: Cobit 5, Enabling processes

Organisation

Understand where the organsation is and its direction

Target

Assess current environment,

capabilities and performance

Define the target IT capability

Current situation

Do a gap analysis

Communication

Communicate strategy and

direction

Plan

Define a strategic plan

and action plan



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Information security policy The information security policy should contain statements concerning:

a)  definition of information security, objectives and principles to guide all activities relating to information security

b)  assignment of general and specific responsibilities for information security management to defined roles;

c)  processes for handling deviations and exceptions.

At a lower level, the information security policy should be supported by topic-specific policies

Source: SS-ISO/IEC 27002:2014



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

14"

Policies structure


Organisational policy

Issue specfic policy

Focus on operations Focus on technology Focus on users

Information security policy

Access control policy

Mobile devices

Teleworking Use of cryptographic controls

Key management (cryptographic)

Clear desk and clear screen

Personally identifiable information

Restrictions on software installations and use Backup

Supplier relationships

Secure development

Communications security

Use of networks and network services

Record retention

Maintaining appropriate licence



Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Operational procedures !  Vulnerability scanning

!  Search for known vulnerabilities

!  Penetration testing !  Identifying existing vulnerabilities and then using common exploit

methods to: !  Confirm exposures !  Assess the level of effectiveness and quality of existing security

controls !  Identify how specific vulnerabilities expose IT resources and assets !  Ensure compliance

!  Systems monitoring !  Continual oversight over performance and events

!  Security audits !  3rd party audit of products, processes, people and partners




Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

15"

Last words to guide you Security Architecture

!  Create an arcitecture with processes/procedures that will enable the organisation to prevent and/or minimize the impact from intrusion, errors and misstakes

!  Require skills in technology and process/procedures

Investigation readiness !  Create and maintain the

capability to understand charataristics of suspicious activities, disruption and disturbances to be able to act in an effective and efficient manner.

!  Require interaction with legal and authorities

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Cyber security crash course

Test – Cyber secruity crash course ‘15

Are you read for the test ?

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

See you again John Wallhoff (CISA, CISM, CISSP) Management consultant / Expert advisor Fraud & Corruption – Analytics - Information & Cyber security – IT Service Management

Scillani Information AB Ekgatan 6, SE 230 40 BARA, Sweden - Vestergade 16, DK 1456 COPENHAGEN, Denmark E-mail: [email protected] Linkedin: http://www.linkedin.com/pub/john-wallhoff/1/48b/a69 Skype: john.wallhoff Webb: www.scillani.se Mobile: +46 (0)707 743131 Phone: +46 (0)40 543131

Cyb

er se

cu

rity cra

sh c

ou

rse ’15 b

y Joh

n W

allh

off (jo

hn

.wa

llho

ff@sc

illan

i.se)

Cyber Security Crash Course - itSMF Finland security crash course Understand the basics Enable resistance Use technology Incident response Manage & Govern Test – Cyber secruity crash

Documents