Cyril Onwubiko Networking and Communications Group http://ncg. ncg.kingston.ac.



Similar documents
Data Management & Protection: Common Definitions

External Supplier Control Requirements

Incident Reporting Guidelines for Constituents (Public)

UF Risk IT Assessment Guidelines

INFORMATION TECHNOLOGY SECURITY STANDARDS

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

How To Protect Decd Information From Harm

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Penetration Testing. Presented by

Incident Categories (Public) Version (Final)

Certified Ethical Hacker (CEH)

Rulebook on Information Security Incident Management General Provisions Article 1

ISO27001 Controls and Objectives

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Incident Response Plan for PCI-DSS Compliance

Guidelines 1 on Information Technology Security

Incident Object Description and Exchange Format

Data Security Incident Response Plan. [Insert Organization Name]

Managing internet security

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

white SECURITY TESTING WHITE PAPER

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Third Party Security Requirements Policy

External Supplier Control Requirements

Managing IT Security with Penetration Testing

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Risk Management Guide for Information Technology Systems. NIST SP Overview

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

Information Security Baseline (minimal measures)

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Incident categories. Version (final version) Procedure (PRO 303)

Cybersecurity for the C-Level

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

IY2760/CS3760: Part 6. IY2760: Part 6

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

Iowa Health Information Network (IHIN) Security Incident Response Plan

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

93% of large organisations and 76% of small businesses

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Mitigating and managing cyber risk: ten issues to consider

Information Security Incident Management Guidelines

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Cyber Security. John Leek Chief Strategist

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

The Cyber Threat Profiler

So the security measures you put in place should seek to ensure that:

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

CSC 474 Information Systems Security

CompTIA Security+ (Exam SY0-410)

Zero-Day and Less-Than-Zero-Day Vulnerabilities and Exploits in Networked Infrastructures 1

The Influence of Software Vulnerabilities on Business Risks 1

Nine Steps to Smart Security for Small Businesses

Cyber Attacks. Protecting National Infrastructure Student Edition. Edward G. Amoroso

Cyber Essentials Scheme

Information Technology Cyber Security Policy

Penetration Testing Service. By Comsec Information Security Consulting

ISO Controls and Objectives

CRYPTUS DIPLOMA IN IT SECURITY

Common Cyber Threats. Common cyber threats include:

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

University of Liverpool

WLAN Security Why Your Firewall, VPN, and IEEE i Aren t Enough to Protect Your Network

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Threat Management: Incident Handling. Incident Response Plan

CEH Version8 Course Outline

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

UoB Risk Assessment Methodology

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Detailed Description about course module wise:

University of Liverpool

Data Management Policies. Sage ERP Online

Information Security Incident Management Policy and Procedure

Security Risk Management - Approaches and Methodology

DBC 999 Incident Reporting Procedure

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Emerging Security Technological Threats

University of Sunderland Business Assurance Information Security Policy

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Chapter 4 Information Security Program Development

EC Council Certified Ethical Hacker V8

[CEH]: Ethical Hacking and Countermeasures

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

Network Incident Report

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Working Practices for Protecting Electronic Information

Transcription:

Cyril Onwubiko Networking and Communications Group http://ncg ncg.kingston.ac..ac.uk http://ncg.kingston.ac.uk +44 (0)20 8547 2000

Security Threats & Vulnerabilities in assets are two most fundamental challenges Characterised as being Unavoidable present in most assets Evolving freshly identified (Day-Zero attacks) Increasing growing incidents Increased risk of network attack Technical models without proper evaluation Existing Classification models not comprehensive Impact leading to huge financial losses Cost an issue for Small to Mid-size

Threats Ranking Deliberate Software threats viruses & worms Unauthorised Access growing incidents Theft of hardware Mobile and laptop Theft of Proprietary Information According to CSI/FBI 11 th Annual Computer Crime & Security Survey of 2006 Threats exploit vulnerabilities to harm systems Code Red Incident - Exploited (buffer overflow) in MS DLL vulnerability to infect systems MSBlast,, Slammer, Sasser As attack agent to DoS and DDoS

Comparison in Security Management Faculty of Computing, Information Systems and Mathematics Technical Solutions Direction Use of security mechanisms without proper evaluation E.g. Firewalls, IDS, local virus detection Weakness Each organisation requires unique security measures Different countermeasures maybe required Security Concepts & Relationships Comprehensive Framework for security evaluation Advantage Better requirement : able to Identify valuable assets, vulnerabilities in classified assets, & threats adequate response : able to recommend multiple countermeasures across a network. However this approach has been stipulated by The CC (Common Criteria) ISO/IEC 15408, but their model is limited in perspective.

What is required is a security management framework for SME that assists in identifying valuable assets for the SME vulnerabilities in classified assets threat agents that give rise to threats threats that exploit vulnerabilities associated risks due to threats & Vulnerabilities. appropriate mix of countermeasures to threats & vulnerabilities

Proposal: Security Concepts & Relationships Framework Faculty of Computing, Information Systems and Mathematics Owners wish to minimise value impose Countermeasures to mitigate be aware of to mitigate Vulnerabilities exist in Threat agents give rise to exploit Threats increase likelihood of Risks increase likelihood of cause harm to wish to abuse and/or cause harm Assets Security Concepts and Relationships Framework

Framework Descriptors Faculty of Computing, Information Systems and Mathematics Owners : SMEs that own assets. Assets : Systems, infrastructures, programs, information, or data owned by SMEs. Vulnerabilities : Flaws in assets, or the absence of controls that could lead to a security breach when exploited by threats. Threat agents : Entities with the capability to impose threats to assets. Threats : Entities that exploit vulnerabilities in assets to cause harm or predispose assets to harm. Risks : The Likelihood that assets may be compromise due to threats or vulnerabilities. Countermeasures: Preventive and mitigation controls

Asset Classification Model Faculty of Computing, Information Systems and Mathematics Minor Major Critical Information classified as very sensitive and confidential Failures leading to Huge Financial Losses Failure affects multiple parts of the network at the same time; POPs or multiple POPs Information classified as confidential Failures leading to Huge Financial Losses Failure affects part of the network Information classified as personal Failures leading to Minimal financial Losses Failure affects a single user 3-tier Asset classification model

Threat Propagation Dynamics Faculty of Computing, Information Systems and Mathematics Attack Timeline Initial Phase Second Phase Last Phase F(t) Probing stage Penetration stage Perpetuation stage Threat propagation based on Attack Timeline

Threat Propagation Descriptors Faculty of Computing, Information Systems and Mathematics Probing Stage: Reconnaissance - information gathering and network mapping Eg = Port scan, social engineering deception Penetration Stage: Unauthorised access - threat bypasses access control mechanisms to breach system Denial of Service threat does not require authorised access to invade system Eg = brute force attacks, dictionary attacks, DoS and DDoS

Descriptors to Threat Propagation Faculty of Computing, Information Systems and Mathematics Perpetuation Stage: Disclosure of information & data when threat intent is to breach confidentiality of system Manipulation of data intent is to alter assets Destruction of system intent is to destroy asset Clean-up attacker removes traces of footprint to prevent forensic investigate and litigation Eg = Intrusions, deliberate software agents, rootkits

1 Two fundamental Threat Categories: Natural Phenomena Human Action Network Error software bugs & hardware caveats Deliberate Software viruses and worms Natural Disasters wildfire, flooding, earthquakes and tidal waves Tsunami Cyber-threats terrorism, political warfare Insiders threats disgruntled employee

2 Human-made Faults Category Intentional Unintentional Motive Non-malicious Malicious Non-malicious Intent Non-deliberate Deliberate Deliberate Non-deliberate Deliberate Capability Acc. Incomp. Acc. Incomp. N/A Acc. Incomp. Acc. Incomp. KEY:Acc. -Accidental; Incomp. Incompetence; N/A Not Applicable Adapted from Avizienis et.al. [ Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Transactions on Dependable and Secure Computing, Vol. 1, NO. 1, January-March 2004, pp. 11-33 ]

3 Network Error: Caused by unintentional, non-deliberate, non-malicious, accidental human actions. Example: faulty system designs Deliberate Software: Caused by intentional, malicious, deliberate human actions.. Example: viruses and computer worms Natural Disasters: Caused by natural, accidental phenomena.. Example: wildfire, flooding, earthquakes and tidal waves Tsunami Cyber-threats threats: Caused by intentional, malicious, deliberate human actions.. Example: terrorism, political warfare Insiders threats: Caused by intentional, malicious, deliberate human actions.. Example: disgruntled employee

Proposed is a process/model based approach to managing security for Small, Medium and Enterprise (SME). To mitigate vulnerabilities & threats a requirement is to implement adequate countermeasures. But adequate countermeasures are attainable through models that assists to: Identify what needs to be protected, what they should be protected against, and how best to protect them, including associated risks This leads to recommending adequate Responses Most SMEs focus on Technical controls without properly evaluating needs and requirements. This leads to implementation of controls that are Isolated, less efficient and uncoordinated.

http://ncg.kingston.ac.uk +44 (0)20 8547 2000

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information