Network & Information Security Training

KHNOG - APNIC

22-24 March 2022

1
Daily Timings – Day 1
• Session 1 – 08:30-09:30 (GMT+7)
– Information Security Overview
– 15 minute break
• Session 2 – 09:45-10:45 (GMT+7)
– Security Frameworks and Other Tools
– 15 minute break
• Session 3 – 11:00-12:00 (GMT+7)
– Password Control – End-User Perspective
– Password Control – Secure Server-Side Storage

2
Introductions
• Jamie Gillespie
– [email protected]
– Security Specialist @ APNIC
– Community engagement, CERT building, InfoSec training, awareness

– Work history
• 8 years at AusCERT, Australia’s national CERT (at the time)
• Google
• Macquarie Telecom / Cloud Services
• before all that, a few roles at UUNET (a backbone ISP in Canada)

3
Introductions
• Minh Lay (Makito)
– [email protected]
– CTO @ Information Beam
– KHNOG Executive Committee Co-Chair
– 16 years experience in ISP and Telecom industry
– Areas of Expertise: BGP, MPLS, IPv6

4
Introductions
• Quick intro from the participants
– Name
– Where are you from?
– (optional) What do you want to get out of this course?

5
APNIC Academy – Free to the Public
ONLINE COURSES

https://academy.apnic.net

LIVE W EBINARS VIRTUAL LABS

Sign up for training updates at:

https://training.apnic.net/subscribe

6
APNIC Academy – Free to the Public
N E W C O U R S E C ATA L O G U E PA G E

7
APNIC Policy Development Process

www.apnic.net/community/policy/participate

8
Next Conference

conference.apnic.net /54

Fellowship applications close 25 March

.

Stay in Touch!

blog.apnic.net

apnic.net/social

10
Network & Information Security Training

Information Security Overview

11
Information Security
• Definition:
– the practice of preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or destruction of
information
• The purpose of information security management is to ensure
business continuity and reduce business damage by preventing
and minimizing the impact of security incidents
– This is done through Prevention, Detection, and Recovery
• Information, IT, Internet, Cyber… it’s all Security

12
Security Breaches

Ref:
http://www.informationisbeautiful.net/
visualizations/worlds-biggest-data-
breaches-hacks/

Shortened: https://goo.gl/P1279w

13
Security Breaches
• haveibeenpwned.com tracks
accounts that have been
compromised and released
into the public
– 586 pwned websites
– 11,757,935,856 pwned accounts
– 114,343 pastes
– 222,768,386 paste accounts

14
Security Breaches
• zone-h.org/archive tracks and
archives website defacements

15
Security Breaches
• Common vulnerabilities can lead to mass compromises

16
InfoSec Definitions
• Let’s start with definitions so we speak a common language
• Asset - what we are trying to protect
– The “information” part of “information security”
– Resources
• Physical – servers, routers, switches
• Virtual – CPU, memory, bandwidth, network connections

17
InfoSec Definitions
• Threat - a circumstance or event with the potential to
negatively impact an asset
– Intentional
• Hacking, malware, DDoS, company insiders, theft
– Accidental
• Malfunction, user error
– Natural
• Natural disaster, earthquakes, storms/floods

18
InfoSec Definitions
• Vulnerability - weakness in an asset’s design or implementation
– Software bugs
• Most vulnerabilities you’ll hear of fall into this category, OS’s, applications, services
– Protocol “bugs” or design flaws
• SYN flood, predictive sequence numbers, ASN.1, NTLM
– Misconfigurations
– Insecure authentication
• Weak passwords, lack of 2FA/MFA
– Unvalidated inputs
• SQL injection, Cross Site Scripting (XSS)
– Poor physical security
• Example on next slide…

19
InfoSec Definitions
The brazen airport computer theft that has Australia's anti-terror
fighters up in arms
By Philip Cornford
September 5, 2003

On the night of Wednesday, August 27, two men dressed as computer technicians and carrying
tool bags entered the cargo processing and intelligence centre at Sydney International Airport.
They presented themselves to the security desk as technicians sent by Electronic Data Systems,
the outsourced customs computer services provider which regularly sends people to work on
computers after normal office hours.
After supplying false names and signatures, they were given access to the top-security mainframe
room. They knew the room's location and no directions were needed.
Inside, they spent two hours disconnecting two computers, which they put on trolleys and wheeled
out of the room, past the security desk, into the lift and out of the building.

20
InfoSec Definitions
• Risk – the potential for loss or
damage to an asset caused by
a threat exploiting a vulnerability

21
InfoSec Definitions
• Risk – the potential for loss or
damage to an asset caused by
a threat exploiting a vulnerability

• Sometimes shown as:

Risk = Threat x Vulnerability
• Or a more detailed view is:
Risk = Asset (or Impact) x Threat x Vulnerability

22
InfoSec Definitions
Cyber risk is usually shown as:

RISK = THREAT X VULNERABILITY

30 = 5 X 6
InfoSec Definitions
Cyber risk can be more detailed by including the asset:

RISK = ASSET X THREAT X VULNERABILITY

30
60 = 2 X 5 X 6
InfoSec Definitions
Cyber risk can be more detailed by including the asset:

RISK = ASSET X THREAT X VULNERABILITY

60 = 2 X 5 X 6

300 = 10 X 5 X 6
 InfoSec Definitions
RISK = ASSET
IMPACT X ( THREAT LIKELIHOOD
X VULNERABILITY
(Threat x Vulnerability)
)
RISK = X

5
High
• Risk Matrix – used when

Likelihood
4
Moderate
performing risk assessments 3
2
to define a level of risk Low
1
– Commonly used in real-world risk 1 2 3 4 5
Impact / Consequence
InfoSec Definitions

5
High
4

Likelihood
High Likelihood & Low Impact High Likelihood & High Impact
3 Moderate

2
Low
1
1 2 3 4 5
Impact / Consequence

Low Likelihood & Low Impact Low Likelihood & High Impact
 InfoSec Definitions
5
• Risk Matrix – used when High

Likelihood
4
Moderate
performing risk assessments 3
to define a level of risk 2
Low
– Commonly used in real-world risk 1
1 2 3 4 5
Impact / Consequence

• Discuss: What are some recent vulnerabilities?

How does that fit into the simple risk matrix?
–
• Remember: Risk = Asset (or Impact) x Threat x Vulnerability

30
InfoSec Definitions
• CVSS – Common Vulnerability Scoring System
– A system to translate the characteristics and impacts of a
vulnerability into a numerical score
– Interactive calculator is at
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
• The Apache Struts vulnerability in 2017 scored a perfect 10

31
InfoSec Definitions
• Mitigate – to reduce the seriousness or severity
– This is done by applying security controls
– Controls can be classified by their time of impact:
• Preventative
• Detective
• Corrective
– or by the type of control:
• Legal and regulatory compliance
• Physical
• Technical
• Administrative / Procedural

32
Layering Security Controls
Time of Effectiveness
Type of Control
During an Attack

Physical Preventative

Technical Detective

Administrative Corrective
Layering Security Controls
Time of Effectiveness
Type of Control
During an Attack

Physical Preventative

Technical Detective

Administrative Corrective
Layering Security Controls
Physical
T
Y
Technical
P
E
Administrative

Preventative Detective Corrective

TIME
Layering Security Controls
Corrective
Physical Physical
T
Y Detective
Technical Technical
P
E
Preventative
Administrative Administrative

Preventative Detective Corrective

TIME
Layering Security Controls
Preventative Preventative Corrective
Physical Physical Physical Physical
T
Y Preventative Detective Corrective
Technical Technical Technical Technical
P
E
Preventative Detective Corrective
Administrative Administrative Administrative Administrative

Preventative Detective Corrective

TIME
InfoSec Definitions
• Defence in Depth – the layering of security controls to
provide redundancy in case of a failure or vulnerability
– These commonly layer controls at different times and types (see prev)
– Sometimes referred to as a Castle Approach

For more castle defences, see

http://tvblogs.nationalgeographic.com/files/2013/08/Castle-
Traps-and-Defenses.jpg

Pictured to the left is Caerphilly Castle

https://commons.wikimedia.org/wiki/File:Caerphilly_aerial.jpg

40
Defence in Depth
Defence in Depth
Defence in Depth
Defence in Depth
Defence in Depth
InfoSec Definitions
• Defence In Depth
• Discuss: Imagine you had a bar of gold to protect
– What container would you put it in?
– What room would the container be in?
– What locks are on the doors?
– Where is the room located in the building?
– What cameras are watching the room and building?
– What humans are watching the cameras?
– Who will respond with force to a theft attempt?
– Bonus question: How much did all of this cost?

46
InfoSec Definitions
• Threat actor – a person trying to cause harm to your
system or network
– Commonly called an attacker or hacker, although the definition of a
hacker has changed over many years
– Also known as malicious actor
– Can be further broken down into categories such as:
• Opportunistic
• Hacktivists
• Cybercriminals (organized or not)
• Nation States / Government Sponsored
• Insiders (intentional or accidental)

47
Information Security Training

Threats and Countermeasures to

Confidentiality, Integrity, and Availability

48
Threats and Countermeasures
• What is the CIA triangle / triad?
– Confidentiality – preventing unauthorized people or processes from
accessing the data
– Integrity - maintaining and assuring the accuracy and completeness
of data. Data cannot be modified in an unauthorized or undetected
manner.
– Availability – ensuring information is available when needed, within
expected bounds*
• Example: it is expected that tape backups will be slow to recover data

49
Threats and Countermeasures
• What is the CIA triangle / triad?
– Non-repudiation – a small extension of the “CIA triad”
– the prevention of either the sender or receiver from denying that the
message was sent or received.
– Safety – a critical component to ensure, autonomous vehicles etc

50
Threats and Countermeasures
• What are common attacks against CIA?
– Confidentiality is attacked through breaking layers of protection to
disclose information intended to be kept private.
• A server may be compromised to extract the database of personal information.
• Example: Ashley Madison is a cheating/dating site that had its customer
information very publicly exposed
• Sometimes the goal is password databases that can be decrypted and exposed
(see: haveibeenpwned.com)

51
Threats and Countermeasures
• What are common attacks against CIA?
– Integrity is attacked through modifying information, or modifying the
pointers to point to different information.
• A common example here is web site defacements, where the primary motivation for
the attacker is to change the homepage of a web site
(see: www.zone-h.org/archive)

52
Threats and Countermeasures
• What are common attacks against CIA?
– Availability is attacked through taking the system or service offline.

Common attacks are DoS and DDoS:

Denial of Service (DoS) attacks typically target vulnerabilities in the

application or operating system with small specially crafted packets.

53
Threats and Countermeasures
Distributed Denial of Services (DDoS) attacks can be done in
many ways:
– The network can be made unavailable by flooding the upstream
connections with an excessive volume of data to fill the limited
bandwidth. Attackers may also send an excessive number of small
packets in order to fill up the router’s connection tables.

54
Threats and Countermeasures
Distributed Denial of Services (DDoS) attacks can be done in
many ways:
– The server operating system can be made unavailable in the same
way as the network attacks mentioned previously (exhausting
bandwidth or connection tables).
This is common for single servers that have less bandwidth or local
resources than the upstream connections.

55
Threats and Countermeasures
Distributed Denial of Services (DDoS) attacks can be done in
many ways:
– Server software can be made unavailable through exhausting the
server resources (CPU, RAM, connection tables) through sending
either legitimate or forged excessive connections, or through sending
specially crafted packets to exploit vulnerabilities in the server
software, or even through deleting (or ransomware encrypting) data.

56
Threats and Countermeasures
• Through all the previous availability & DDoS scenarios, we
are assuming a remote attacker.
Other scenarios involve malicious insiders, accidents, and
forces of nature.

57
Threats and Countermeasures
• What are common defences for CIA?
– Confidentiality
• Access control, encryption
– Integrity
• Hashing, encryption, digital signatures
– Availability
• Redundancy, high-availability, patching, increasing resources, backups,
disaster recovery and business continuity plans (DR / BCP)

58
Any questions?

59