1 | Page A) Definition: Cybersecurity Domain is a collection of best practices,Technologies,Frameworks & Standards to protect an enterprise,organization ,Govt entities,Military establishment,Individual user from global cyber threats(Theft Identity,Cybertheft,Cyber-ransom,Infrastructure damage) resulting in either Financial,Economical,Copyright Information,Personal identity,Infrastructure loss. B) Well known Cybersecurity Risk Standards & Frameworks: NIST Cybersecurity Framework ISO 27001 (Information Security Management Framework) ISACA COBIT5 NIST SP800-53 NIST SP800-30 ISA 62443 ISO 27005 C) Establishment and acceptance of the Cybersecurity Standards: The Cybersecurity standards were first adopted in the Seoul (South Korea) Conference on Global Cybersecurity in 2013 D) Cybersecurity Tactics (Holistic View): Manage physical access to IT Infrastructure Manage sensitive documents and output Devices Monitor the Infrastructure for security related Events Protect against Malware (*** Most challenging and difficult aspect of Cybersecurity) Manage Network and Connectivity security Manage User Identity and logical access E) Cybersecurity Lifecycle: The Cybersecurity Lifecycle can be described aptly by the below (Figure-1) which decomposes the various stages CyberSecurity – Concepts & Best practices (MIND MAP)
18
Embed
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 | P a g e
A) Definition:
Cybersecurity Domain is a collection of best practices,Technologies,Frameworks & Standards to protect an enterprise,organization ,Govt
entities,Military establishment,Individual user from global cyber threats(Theft Identity,Cybertheft,Cyber-ransom,Infrastructure damage)
resulting in either Financial,Economical,Copyright Information,Personal identity,Infrastructure loss.
B) Well known Cybersecurity Risk Standards & Frameworks:
NIST Cybersecurity Framework
ISO 27001 (Information Security Management Framework)
ISACA COBIT5
NIST SP800-53
NIST SP800-30
ISA 62443
ISO 27005
C) Establishment and acceptance of the Cybersecurity Standards:
The Cybersecurity standards were first adopted in the Seoul (South Korea) Conference on Global Cybersecurity in 2013
D) Cybersecurity Tactics (Holistic View):
Manage physical access to IT Infrastructure
Manage sensitive documents and output Devices
Monitor the Infrastructure for security related Events
Protect against Malware (*** Most challenging and difficult aspect of Cybersecurity)
Manage Network and Connectivity security
Manage User Identity and logical access
E) Cybersecurity Lifecycle:
The Cybersecurity Lifecycle can be described aptly by the below (Figure-1) which decomposes the various stages
CyberSecurity – Concepts & Best practices (MIND MAP)
2 | P a g e
Risk Actions: The most generally accepted Actions on Risk Management are - (1) Risk Acceptance (2) Risk Transfer (3) Risk Avoidance (4) Risk
Mitigation) – Depending on Risk Appetite/Risk Tolerance threshold of an Organisation
(1) Identify Business
outcomes (2)Understand Vulnerabilities
Threats
(3)Create current profile
(4)Conduct Risk
assesments
(5)Apply Controls
(6)Create Target profile
(7)Determine,analyze
& prioritize gaps
(8)Implement plan
(9)Report to stakeholders
(10)Continuous monitoring
Cyber security Lifecycle
3 | P a g e
F) Threat to Cyberdefense: The damage caused by threats to Cyberdefense can be characterized by loss of “Confidentiality, Integrity or
availability (CIA)”, the basic model of Data Security as practiced in ISO27001/27002 and other globally accepted standards
G) Lockheed Martin - Hacker Kill Chain:
The USA Aeronautics Major Lockheed Martin – Kill Chain methodology describes seven steps from reconnaissance through actions on the
objectives and recommends defenses be designed to align with each of the seven steps in the process:
4 | P a g e
1. Reconnaissance:
Finding the Host,Internet Website,Domain
Do IP Address Scan of the Business Domain
Do Port Scan of the Active hosts
Automated scanning by Botnets (Compromised Systems)
Locate Network Topology and identify potential access control Devices
Q) SANS – Top 20 Critical Security Controls: These are widely established critical controls to maintain a healthy Network security posture
S.No
Critical Security Controls Code No National Security Agency Rank
1 Inventory of H/W Assets,Criticality & Location CSC1 Very High 2 Inventory of S/W Assets,Criticality & Location CSC2 Very High 3 Secure Configuration Servers CSC3 Very High 4 Vulnerability Assessment & Remediation CSC4 Very High
5 Malware Protection CSC5 High/Medium 6 Application Security CSC6 High 7 Wireless Device Control CSC7 High
8 Data Recovery CSC8 Medium 9 Security Skills Assessment CSC9 Medium 10 Secure Config Network CSC10 High/Medium
11 Limit and Control Network Ports,Protocols & Services CSC11 High/Medium
14 Maintain,Monitor and Analyze Audit Logs CSC14 Medium 15 “Need to know” Access CSC15 Medium
16 Account Monitoring & Control CSC16 Medium 17 Data Loss Prevention (DLP) CSC17 Medium/Low 18 Incident Response Plan CSC18 Medium
19 Secure Network Engineering (Secure Coding) CSC19 Low 20 Penetration Testing & Red Team Exercises CSC20 Low
12 | P a g e
R) Incident Security Process: The critical Incident process/Types/Management is described by the following Mind map
13 | P a g e
S) Automated Network Discovery Mechanism for Cyberattack: These days professional Hackers,Malware developers,Cyber Criminals work in
tandem to develop automated Tools to initiate a Cyber Attack against the intended victim/host.The mechanism is to install remote access
Trojan(RAT) on compromised system(BOTNETS) which could number in thousands and then initiate the attack in phases.Below is the (Figure-3)
showing the concept
Key Components of a BOTNET Attack (Example BOTNET Attacks : ZEUS,CITADEL,GO ZEUS)
BOTNET Construction Kit
Command & Control Capability
Remote Access Trojan(RAT)
Custom developed Malware(Malicious Code) for the intended Victim/Host
14 | P a g e
T) Network Perimeter best Security practices:The below are the Network Perimeter Best Security practices which have matured through
cycles of Iterations subjective to critical Testing by Security Gurus & Consultants globally
Restrict use of administrative utilities(e,g Microsoft Management Console)
Use secure File permission system i.e NTFS & UFS File System
Manage Users properly especially the Admin Accounts on Unix & Windows machines
Perform Effective Group Management for – Admin,Print,Power,Server operator & Normal Users in Windows 2000 O.S
Enforce strong password policy,password aging for Users
Enable Windows O.S and Unix O.S logging facility
Eliminate unnecessary Accounts (especially the Employee’s who have left the Organisation)
Disable Resource sharing service and remove hidden administrative shares – C$,ADMIN$,WIN NT$ in older version of Windows O.S
Disable unneeded Service in Unix – Telnet,Finger ,tftp,NTP(Network Time protocol)
Applications should use the latest Security patches in Production Environment
Enforce using NAT(Network Address Translation) & PAT(Port Address Translation) in internal Network (Firewalls & Routers)
Enable DNS Spoofing,DOS Attacks (Smurf & Direct Broadcast Attacks) mitigation policies on Gateway Routers via ACL and Cisco IOS
Enforce Best Industry practice of secure Application Coding to mitigate “Buffer Overflow” Vulnerability in the Memory
Enforce strong password policy,password aging,lockout policy for Application Databases (Oracle,Sybase)
Install latest O.S and Application patches as soon they are available from Vendors
Install latest Security patches for Browsers,Flash Players,Microsoft Applications
Update the Anti-Virus & IDS/IPS /HIDS Signatures on frequent basis
Update the Business Continuity/DR Plan and keep latest backup of all critical Servers
Update and Install latest Security patches for Application Gateways(Proxies),Web Filltering Devices,Firewalls
Check the Logs daily on Firewalls,IPS/IDS,HIDS for any Security Incident triggered by any malicious Activity
Implement Industry Best practices to secure the Network (NIST Guidelines,SANS 20 Critical Security Controls,NSA Guidelines etc)
Place the Mission Critical Web Servers (User Interface) on a Screened Subnet,DMZ and the backend Application Server & Oracle
Database Server in the internal Network
Change the Default Password of SNMP Community string on Network Devices
15 | P a g e
U) Network Perimeter Design for a Secure Network to mitigate Cyber attacks: Example Network (Case Study)
16 | P a g e
The above Diagram conceptualizes an ideal Scenario Network of a Corporate Organisation with multiple Entry & Exit points for the
Email,Web,Wireless and VPN Traffic.It shows the placement of the Intrusion Detection Devices(IDS) at multiple points to monitor both
the Internal and External Traffic for any Malicious Traffic in real Time.The Network is shown for Illustrative purposes only.
Design Features:
Border Router:A Gateway Router connects the network to the Internet and provides basic Filtering through ACL(Access Control Lists) on
Ingress & Egress Interfaces
Just behind the Gateway Router is Stateful Inspection Firewall that enforces the majority of access control of the network
Public services and private services have been separated by putting them on different network segments (DMZ,Corporate & Screened
Subnet)
Split DNS is being used on public DNS Server and it provides Name resolution for public services only
Intrusion Detection Systems(IDS) are located on the public,private,network perimeter end points to watch for unusual activity
The Front end Application Web server is on the Screened Subnet and the backed Oracle DB Server is behind the Internal Firewall
Host based IDS(HIDS) complement the Network by adding additional layer of security and are placed on the individual mission critical
servers(Anti-Virus,Email Proxy,Web Proxy,Internal Email Server,Oracle DB Server) to monitor the systems network activity,log files,Files
Systems Integrity and User actions.A host based IDS will also detect and generate an alarm when it detects escalation of privileges for a
Guest user to Admin Account
Host based IDS can help detect attacks that network IDS evasion techniques
Host based IDS is also useful for correlating attacks picked up by Network sensors
All security log entries are sent to the SIEM(Security Information and Event Monitoring System) for Data Analysis and Forensics.The
SIEM generates an Alert when suspicious activity is detected
For the Remote Office users all their Laptops are installed with Personal Firewalls to mitigate/detect Hacker entry through backdoor
channels
All configuration of security devices is performed from the management console
Additionally one can install TACACS,RADIUS Servers to monitor Users access on the Gateway Router and other mission critical Servers
17 | P a g e
The sample Rule base configured on the Stateful Inspection Firewall can be as follows (Illustrative purpose only):
Rule No
Incoming Zone Outgoing Zone Source Destination Service Action
1 Internet Screened Subnet Any App Web Server HTTP.HTTPS Allow Internet Screened Subnet Any Web Proxy HTTP,HTTPS Allow
2 Internet DMZ Any E-Commerce Server HTTP,HTTPS Allow 3 Internet Screened Subnet Any Email Proxy SMTP Allow 4 Internet Screened Subnet Any DNS Server DNS Allow 5 Internet DMZ Any E-Commerce Server SSH Allow
6 Internal Screened Subnet Internal Mail Server
MailRelay(Email Proxy) SSH Allow
7 Internal DMZ Order Server E-Commerce Server SSH Allow 8 Internal Internet Internal Mail Server Any SMTP Allow
9 Internal Internet Internal DNS Server Any DNS Allow 10 Internal Internet Workstations Any HTTP,HTTPS,FTP Allow 11 Internal Screened Subnet Oracle DB Server Application
Web Server HTTP,HTTPS,SSH Allow
12 Internet Screened Subnet Norton.Com Anti-Virus Server FTP Allow
13 All Management All Devices Group SIEM Server Syslog Allow 14 Management Any Management
Console Security Devices Group
SSH,SRMC Allow,Log
15 Management Internet Management Console
Snort.Org HTTP.HTTPS Allow
16
Any Any Any Any Any Deny,Log
18 | P a g e
Conclusion Note:
The process to securing and making a perfect “Digital World” is a ongoing continuous Journey ,and with ever changing Modus operandi
of the Hackers and the Cyber Criminals globally,we always have to be one step forward in the race to protect our Digital
Assets,Intellectual property,Identity,Infrastructure.Thank You
Disclaimer Note: This is Copyright Material @Wajahat Iqbal (2016) and the Information shown is collected from Internet repositories and any
Typo, Error, Omission is regretted on behalf of Author.The Author does not hold any responsibility or Liability for the incorrectness of the
Information shared.This Mindmap Document can be shared/Printed/Distributed keeping in view that Credit is given rightly to the Author.