MIS Class 2. The Threat Environment

Similar documents
Protecting Information Assets - Week 3 - Data Classification Processes and Models. MIS 5206 Protecting Information Assets

Dr. Stephanie Carter CISM, CISSP, CISA

New Guidance on Privacy Controls for the Federal Government

Advanced Security Tester Course Outline

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

NIST Security Certification and Accreditation Project

The Cyber Threat. Bob Gourley, Partner, Cognitio June 22, How we think. 1

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

A Passage to Penetration Testing!

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Security Management Models And Practices Feb 5, 2008

Security analysis and assessment of threats in European signalling systems?

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

TEL2813/IS2820 Security Management

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

MIS Week 9 Host Hardening

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

CYBER SECURITY AND MITIGATING RISKS

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cybersecurity Today Avoid Becoming a News Headline

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Cyber Risk in the Marine Transportation System

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

IoT & SCADA Cyber Security Services

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Building Secure Systems

Effective Strategies for Managing Cybersecurity Risks

Cyber Attacks & Breaches It s not if, it s When

INFORMATION ASSURANCE DIRECTORATE

Train as you Fight: Are you ready for the Red Team?

The Perfect Storm Cyber RDT&E

THE POWER OF TECH-SAVVY BOARDS:

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

IT SECURITY FOR NONPROFITS

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Compliance Audit Readiness. Bob Kral Tenable Network Security

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Designing and Building a Cybersecurity Program

Device Discovery for Vulnerability Assessment: Automating the Handoff

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Security Standards for Electric Market Participants

How to Create, Deploy, & Operate Secure IoT Applications

Mitigation Controls on. 13-Dec-16 1

Options for, and road map to, information security implementation in the registry system

CYBERSECURITY MATURITY ASSESSMENT

Risk-Based Cyber Security for the 21 st Century

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Software Architectural Risk Analysis (SARA): SSAI Roadmap

How Breaches Really Happen

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

A Practical Approach to Implement a Risk Based ISMS

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Cyber Security 2010 THE THREATS! THE FUTURE!

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Risk Assessment. The Heart of Information Security

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Cyber Criminal Methods & Prevention Techniques. By

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

Handbook Webinar

Defense in Depth Security in the Enterprise

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

MEETING ISO STANDARDS

Cyberspace : Privacy and Security Issues

Tool-Supported Cyber-Risk Assessment

Cyber savvy: Securing operational technology assets

Objectives of the Security Policy Project for the University of Cyprus

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Is Your Web Application Really Secure? Ken Graf, Watchfire

New! Checklist for HIPAA & HITECH Compliance Pabrai

Governance Ideas Exchange

10 FOCUS AREAS FOR BREACH PREVENTION

Perspectives on Threat

Express Monitoring 2019

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Ethical Hacking and Countermeasures: Attack Phases, Second Edition. Chapter 1 Introduction to Ethical Hacking

CSWAE Certified Secure Web Application Engineer

CITADEL INFORMATION GROUP, INC.

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Q&A TAKING ENTERPRISE SECURITY TO THE NEXT LEVEL. An interview with John Summers, Enterprise VP and GM, Akamai

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Business continuity management and cyber resiliency

10 Things Every Auditor Should Do Before Performing a Security Audit

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

Transcription:

MIS 5214 Class 2 The Threat Environment

Agenda In the News Models Risk Hackers Vulnerabilities Information System Categorization Risk Assessment Exercise Conceptual Modeling and Information Systems

In the News http://community.mis.temple.edu/mis5214sp2018online/in-the-news-7/#comments

What kind of information system models are you familiar with?

Models help us understand Information Systems and how to defend them Models are ways to describe reality Model quality depends on skill of model designers and qualities of the selected model Building blocks of models is a small collection of abstraction mechanisms Classification Aggregation Generalization Can you think of any others? Abstractions help the designer understand, classify, and model reality

What can you tell us about this model? From NIST 800-30r1 Guide for Conducting Risk Assessment p. 12

Taxonomy of threat sources NIST SP 800-30r1 Guide for Conducting Risk Assessments, page 66 Cybersecurity Awareness for GIS Professionals 7

Adversarial (i.e. purposeful) threat sources NIST SP 800-30r1 Guide for Conducting Risk Assessments, page 66 8

What type of Hacker are you? You need to decide if you re going to aspire to safeguarding the common good or settle for pettier goals. Do you want to be a mischievous, criminal hacker or a righteous, powerful defender? the best and most intelligent hackers work for the good side. They get to exercise their minds, grow intellectually, and not have to worry about being arrested. They get to work on the forefront of computer security, gain the admiration of their peers, further human advancement in the name of all that is good, and get well paid for it. Grimes, R. (2017), Hacking the Hacker, John Wiley and Sons

Most Hackers Aren t Geniuses readers often assume bad-guy hackers are super smart, because they appear to be practicing some advanced black magic that the rest of the world does not know. In the collective psyche of the world, it s as if malicious hacker and super-intelligence have to go together. A few are smart, most are average, and some aren t very bright at all, just like the rest of the world. Hackers simply know some facts and processes that other people don t, just like a carpenter, plumber, or electrician. Grimes, R. (2017), Hacking the Hacker, John Wiley and Sons

Defenders are Hackers Plus If we do an intellectual comparison alone, the defenders on average are smarter than the attackers. A defender has to know everything a malicious hacker does plus how to stop the attack. And that defense won t work unless it has almost no end-user involvement, works silently behind the scenes, and works perfectly (or almost perfectly) all the time. Show me a malicious hacker with a particular technique, and I ll show you more defenders that are smarter and better. It s just that the attacker usually gets more press. It s time for equal time for the defender! Grimes, R. (2017), Hacking the Hacker, John Wiley and Sons

Hackers are Special While not all are super-smart, they all share a few common traits: Broad intellectual curiosity Willingness to try things outside the given interface or boundary Not afraid to make their own way Usually they are life hackers: Hacking all sorts of things beyond computers Questioning the status quo and exploring all the time Most useful trait: Persistence Malicious hackers look for defensive weaknesses Both malicious hackers and defenders are looking for weaknesses, just from opposite sides of the system Both sides participate in an ongoing war with many battles, wins and losses. The most persistent side wins Grimes, R. (2017), Hacking the Hacker, John Wiley and Sons

Defenders must be perfect One mistake by the defender essentially renders the whole defense worthless every computer and software program must be patched, every configuration appropriately secure, and every end-user perfectly trained. Or at least that is the goal. The defender knows that applied defenses may not always work or be applied as instructed, so they create defense-in-depth layers. Grimes, R. (2017), Hacking the Hacker, John Wiley and Sons

The Secret to Hacking If there is a secret to how hackers hack, it s that there is no secret to how they hack. It s a process of learning the right methods and using the right tools for the job. There isn t even one way to do it. There is, however, a definitive set of steps that describe the larger, encompassing process Hacking Methodology Model 1. Information gathering 2. Penetration 3. Optional: Guaranteeing future easier access 4. Internal reconnaissance 5. Optional: Movement 6. Intended action execution 7. Optional: Covering Tracks Grimes, R. (2017), Hacking the Hacker, John Wiley and Sons

What is a Vulnerability? Any unaddressed susceptibility to a physical, technical or administrative information security threat

Vulnerabilities can be classified by asset class Physical examples Buildings in environmental hazard zones (e.g. low floor in flood zone) Unlocked and unprotected doors to data center Unreliable power sources Technical examples Hardware susceptibility to humidity, dust, soiling, unprotected storage Software insufficient testing, lack of audit trail, poor or missing user authentication and access control Data unencrypted transfer or storage, lack of backup Network Unprotected communication lines, insecure architecture Organizational examples Inadequate screening and recruiting process, lack of security awareness and training Lack of regular audits Lack of security and IT related business continuity plans http://www.infosightinc.com/collaterals/cva-pt_march2016.pdf

What is a Risk? A measure of threat Potential loss resulting from unauthorized: Access, use, disclosure Modification Disruption or destruction of an enterprises information Can be expresses in quantitative and qualitative terms

Steps in a risk assessment methodology 1. What are your business assets? 2. What possible threats put your business assets at risk? 3. Which vulnerabilities and weaknesses may allow a threat to exploit your assets? 4. For each threat, if it materialized, what would be the business impact on your assets?

Assessing risk quantitative method

Assessing risk qualitative method

FIPS 199: Risk assessment based on security objectives and impact ratings

What are the overall Impact ratings?

FIPS Pub 199 Standards for Security Categorization Low: Limited adverse effect Medium: Serious adverse effect High: Severe or catastrophic adverse effect Example with multiple information types: = MODERATE rating = LOW rating = MODERATE rating 23

What are the datasets overall impact ratings?

What is the overall Information System impact rating

Qualitative to quantitative transformation of ordinal risk measures into interval scale risk measures Requires the risk analyst to contribute additional information to move ordinal onto interval scale NIST SP 800-100 Information Security Handbook: A Guide for Managers, page 99 26

Class exercise groups

Determine numeric risk measures and sort asset types from highest to lowest risk

Hint:

Solution

Agenda In the News Models Risk Hackers Vulnerabilities Information System Categorization Risk Assessment Exercise Conceptual Modeling and Information Systems Information and Telecommunication Open Systems Interconnection Model

Models help us understand Information Systems and how to defend them Models are ways to describe reality Model quality depends on skill of model designers and qualities of the selected model Building blocks of models is a small collection of abstraction mechanisms Classification Aggregation Generalization Can you think of any others? Abstractions help the designer understand, classify, and model reality

Classification An abstraction used to define one concept as a class of real-world objects characterized by common properties Client Layer Classes of software types within an enterprise service oriented architecture Service Layer Database Layer

Aggregation An aggregation abstraction defines a new composite class from a set of other classes that represent it components Gateways COTS = Commercial Off The Shelf Custom Applications

Classification and Aggregation Are the two basic abstractions used for Building data structures within databases and conventional programming languages Building and organizing computational processes within applications Building and organizing applications within systems Building and organizing minor systems and applications within major systems

Information models from disparate business units

Generalization A generalization abstraction defines a subset relationship between elements of two more classes In generalization, all the abstractions defined for the generic class (super-class) are inherited by all the subset classes (sub-class) Data lineage metadata model

Software object generalization enables inheritance of common properties and methods

Data Lineage Metadata System

Agenda Models Risk Hackers Vulnerabilities Information System Categorization Risk Assessment Exercise Conceptual Modeling and Information Systems

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback