See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/360836533

Information Security Management

Presentation · May 2022

CITATIONS READS

0 217

1 author:

Lionel Pilorget
University of Applied Sciences and Arts Northwestern Switzerland
61 PUBLICATIONS   54 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

KnowDigital View project

KnowFinance View project

All content following this page was uploaded by Lionel Pilorget on 25 May 2022.

The user has requested enhancement of the downloaded file.

Information
Security
Management
(ISM)

April 13, 2022

Lionel Pilorget
Agenda

• Rationale for Information Security

• The psychology of hacking
• Attack techniques
• Main protections
• Norms and Standards
• Preparing the organization

2
Various interactions with external agents

Customers Contacts Vendors

Data transfer
modes

Company

Partners Communities

Public organisations
3
Requirements for information and communication

• Accessibility
• Completeness
• Availability
• Response Time
• Easiness
• Privacy
• Compatibility

But…

4
Exercise
Define key elements to be protected for the following organizations

1. University 4. Consultancy Company

2. Bank 5. Movie Producer
3. Hospital 6. Pharma Company

Group 3 Group 4

Group 2 Group 5

Group 1 Group 6

5
Why is Cybersecurity a major issue?

Cyberattacks are now the greatest operational risk to the financial system

«Cyberangriffe sind inzwischen das grösste operationelle Risiko für das Finanzsystem», Mark Branson

Source: www.finma.ch/de/dokumentation/dossier/dossier-cyberrisiken/
6
Cyber attack maps

Source: threatmap.bitdefender.com
7
The Cyber Kill Chain

Exploit a vulnerability Execute Malicious

§ Malicious data file that
is processed by a legitimate application
(for insfance Acrobat leader, Chrome…)
§ Takes advantage of a vulnerability
in the legitimate app which allows
the attacker to run code
§ ‘Tricks’ the legitimate application into
running the attacker’s code
§ Small payload
Activities
§ Malicious code in an executable file
§ Does not rely on any
application vulnerability
§ Already executes code and aims to
control the machine
§ Large payload

8
Identify the weaknesses
Exploit, Identify the Weaknesses and Damage
1/ Introduce a virus
2/ Exploit vulnerabilities
Hackers Cyber attackers Black hats 3/ Introduce a virus and deploy the attack
4/ Execute the virus and get critical assets

Server Power Techniques Tools Knowledge

identify the target

and pairing a malicious achieve the objectives of
code with an exploit to get authorized deploy the attack to the intrusion (data copy,
create a weapon accesses to applications command and control data destruction, ransom…)

Introduce an Exploit vulnerabilities

“exploit”

ROP
Cryptographic Passwords/
Keys Credentials

Board Customer
papers data
Merger &
Acquisition Account
information balances,
positions
Batch
Utilize
files
OS Functions

OS: Operating System

ROP: Return Oriented Programming
9
Which attack techniques have you experienced?

10
Some statistics

TYPES OF SECURITY EVENT EXPERIENCED

The proportion of businesses reporting experiencing an attack rose significantly to 77% this year.
In fact, all types of attack showed a significant increase
% of all businesses experiencing each type of security event
+11%
Viruses & malware 49% Electronic leakage of data from
25%
Internal systems
Inappropriate IT resource use by
employees 39% Incidents involving non-
Computing, connected devices 24%
Physical loss of devices or media
containing data 33% Incidents affecting third party
Physical loss of mobile devices Cloud services we use 24%
exposing the organization to risk 32% Incidents affecting suppliers that
Inappropriate sharing of data via we share data with 24%
mobile devices 31%
Incidents affecting IT
+6% 24%
Targeted attacks 27% Infrastructure hosted buy a…
Incidents affecting virtualized
DDoS attacks 25% environments 24%
Staff Data Protection
These incidents in particular saw a Complexity Business Continuity
Mobile Devices Cloud Sec. & BPO
Large increase
Base : 5,274 All Respondents

Source: media.kasperskycontenthub.com
11
And the winner is

12
What is a computer virus?
A "virus" is the generic term for an unwanted program that spreads itself and causes
damage on the infected computer. Computer viruses generally require a host program,
where its own code is written and executed first.
Many viruses are programmed in such a way that after installation on a computer they
automatically spread to all addresses stored in the e-mail address book and according to
this snowball system they spread at lightning speed.
Often, the entire software of the infected computer has to be reinstalled to get rid of the
virus. If entire companies are affected by such an incident, the damage can be extensive.
Different types of virus:
File-infecting Virus
Ransomware
Macro Virus
Browser Hijacker
Web Scripting Virus
Boot Sector Virus
Polymorphic Virus
Resident Virus
Multipartite Virus

13
Computer worm
A computer worm is a standalone malware computer program that replicates itself in
order to spread to other computers. Worms do not passively wait to be spread by a user
on a new system, but actively try to penetrate new systems. They do it by exploiting
security problems on the target system, especially network services.
A helpful worm or anti-worm is a worm designed to do something that its author feels is
helpful, though not necessarily with the permission of the executing computer's owner.

Source: en.wikipedia.org/wiki/Computer_worm
14
A Trojan horse

A Trojan horse is a destructive program that looks as a genuine application. One function
could be to execute a virus. Unlike viruses, Trojan horses do not replicate themselves but
they can be just as destructive.

Trojans are often infiltrated as an authentic-looking email attachment of a phishing email

or as freeware and shareware downloaded from the Internet. The Trojan is introduced
with a fake file name and often with a double extension. For example, it would look like
this: "suesse-katze.mp4.exe“

A Trojan only starts working once the user launches the program. Thus, once the
program starts, the Trojan can install other software on the computer.

15
Famous computer virus

• Mydoom: spread by mass emailing. At one

point, the Mydoom virus was responsible for
25% of all emails sent

• Sobig

• Klez infected about 7.2% of all computers in

2001 (7 million PCs)

• ILOVEYOU sent copies of itself to every email

address in the infected machine’s contact list

• WannaCry takes over your computer and

Onel de Guzman Reonel Ramones holds it hostage

• Zeus an online theft tool

Source: www.hp.com/us-en/shop/tech-takes/top-ten-worst-computer-viruses-in-history
16
Phishing

Phishing is a variant of e-mail abuse. Phishing e-mails feign a reputable origin, e.g. from
banks, the post office, DHL, etc., and ask the recipient to enter personal data,
passwords, credit card numbers and PIN codes.
To do this, the recipient is either directed to a prepared website or a corresponding
form in the mail takes the data.

This is to notify all Students, Staffs of University that we are validating active accounts.
Kindly confirm that your account is still in use by clicking the validation link below:

Validate Email Account

Sincerely

IT Help Desk

Office of Information Technology

17
Spam
Spam is a collective term for unsolicited advertising e-mails that are usually sent in bulk.
Virus e-mails are also often disguised as spam. Careful handling of unknown e-mails is
therefore extremely important. According to various studies, each person with an e-mail
connection needs around 5 minutes per working day to delete unwanted e-mails. The
productivity losses are in billions worldwide.

18
E-Mail ducks or hoaxes
Email ducks or hoaxes are messages that warn of imaginary viruses or dangers or
contain fake requests for help or similar. Most often, recipients of such emails are asked
to forward the message to as many addressees as possible. This leads not only to the
spread of misleading messages, but also to unnecessary load on the email system.

Information Posted on Clinic’s Letterhead is Internet Hoax

December 14, 2012
A sign in one of Memorial Physician Services’ Jacksonville offices contained false information from a common internet
Hoax circulating on Facebook. The sign has been removed.

A photo taken of the sign, which was on MPS letterhead, has been widely circulated. The hoax claimed that a
popular drug, referred to as “Strawberry Quick” was being targeted toward children. The hoax claimed the drug
looked like “Pop Rocks” candy, was dark pink in color and has a strawberry scent.

Memorial Health System issued the following statement on its Facebook page: “To anyone who’s seen a photo of a
sign in one of our Memorial physican Services’ Clinics circulating on Facebook about ‘strawberry quick’ drugs being
given to children – the message on the sign is an internet hoax and is not true. We are sorry for the inconvenience.”

The website Snopes.com, which examines the validity of popular rumors and urban legends, confirms that the
information is false. The website quoted an official with the U.S. Drug Enforcement Administration who said that “we
checked with all of our labs, and there’s nothing to it.” The e-mail scare has been in circulation since around 2007.

19
E-mails getting into the wrong hands
Another problem is that e-mails may accidentally or intentionally reach the wrong
recipient. Confidential data and information in the hands of unintended addressees can
cause serious problems.

An email is sent quickly: which situations could be risky?

20
Social Engineering

Social engineering is defined as "the deliberate manipulation of people rather than

machines to circumvent a company's or consumer's security systems”.
Social engineering can be done by phone, fax, email, or even face-to-face.

This results in the following points of attack:

Types of information
Companies process a wide variety of types of information, depending on the industry
and their classification (e.g. "Confidential"), which represents a high value for the
company.
Typical examples of such information include:
• Financial data
• Personal data
• Research and Development data
• Contracts

Potential for danger

The potential for danger is that a social engineer is always interested in a company's
information, which also represents value to third parties.

21
Social engineering methods
There are three different methods of social engineering with which attackers try to obtain
information. Attackers always assume foreign roles and never reveal their actual identity.
Computer-Based/Online Social Engineering
Attackers use technical tools such as:
• Phishing: the sender of an email pretends to be someone else in order to trick the recipient into performing an
unintended action (e.g. entering passwords).
• SMiShing: same principle as above, but by means of SMS
• Abusive / manipulated websites: Websites that trick the victim into revealing confidential information, making
pseudo purchases.

Human-Based Social Engineering

Attackers obtain information by non-technical means by approaching people directly, such as:
• Intimidation or making people feel guilty
• Influencing or persuading
• Exploitation of any need for help
• Searching through waste paper and garbage ("Dumpster Diving")
• Obtaining unauthorized access ("Piggy-Backing")
• Surreptitious glances over another person's shoulders ("shoulder surfing")

Reverse social engineering

The attacker does not obtain the desired information directly from the victim, but tries to get a user to voluntarily and
actively provide the information to the attacker. Example: The attacker introduces himself to the victim by phone as a
new support employee and leaves his phone number for assistance. He then creates a problem and gets the victim to
contact him instead of asking for help from the relevant service desk.

22
Points of attack
Information carriers / technologies
Information carriers are generally considered to be anything that can be used to store and
transmit information, e.g.:
• CD
• USB stick
• External hard disk
• Notebooks
• Smartphones

Places
• Any place where people are present or where information data carriers are stored
represents a potential point of attack, depending on the situation.

Possible sources of danger

• Building entrance
• Reception
• Workplace
• Storage of waste
• Locations of printers, scanners, copiers
• Public transportation, restaurants, etc.
23
Fraud Purpose of Social Engineering
Social engineering has various purposes, like fraud, industrial espionage,
identity theft.
Obtaining authorization information, for example, to take over a system or
compromise the availability of individual or multiple processes.

Danger potential
The information data carriers themselves are of less interest to the social engineer,
but rather those persons who have access to information carriers, i.e., who
represent an interface to the information.

Another source of danger is the technology with the corresponding vulnerabilities,

which in turn can be exploited by hackers for a possible attack.

24
Who is Robin Sage?

• 25-year-old "cyber threat analyst" at the Naval

Network Warfare Command (Virginia)
• MIT Graduation
• 10 years of work experience

• access to email addresses and bank accounts

• learning the location of secret military units
• private documents for review
• offered to speak at several conferences

Robin Sage is a fictional American cyber threat analyst.

Source: en.wikipedia.org/wiki/Robin_Sage
25
Threat radar from Swisscom
Identification and record of
potential threats

AI-Based Attacks

Destabilising/Centralisation

Automatisation & Scaling Increased Complexity

Political Influence
Observation Targeted Attacks Ransomware

Digital Identity Infrastructure Integrity Quantum Computing

Big Data Analytics 5G Security

Security
Job Market
loT-Devices

Early detection loT-Based DDoS SCADA

Subscriber Compromisation

Digitalisation Workplace Heterogeneity

Decentralised Development

Main topics Drones & Robots Insider Threat

Device Theft

Infrastructure Misconfiguration
Focal points

Blackout

Challenges Today Trend

Source: Cyber crime: where the threat comes from | Swisscom

26
Best practices
Define the Do´s and Don´ts

1. At the office 4. During an internal web call

2. During a business trip 5. During a public web conference
3. Visiting a provider 6. By teleconsultation with a customer

Group 3 Group 4

Group 2 Group 5

Group 1 Group 6

27
How to protect?

28
Scope of IT Security

29
Passwords

• Always use different passwords for private and business use!

• Always use a different password for each service

• Good passwords are easy to remember but difficult to guess

• Passwords should be strong enough for the risk they pose

• Choose 2-factor authentication for Internet services if possible

Source: www.mcafee.com/blogs/enterprise/cloud-security/how-to-create-a-strong-password-you-actually-remember/
30
2 Factor Authentication (2FA)
2 FA is a method in which a user is granted access to a website or
application only after successfully presenting two pieces of evidence (or
factors) to an authentication mechanism

31
2FA Example for Mobile Banking

1 User uses the mobile app to login

2 Mobile app sends data to the server

Server requests the 2FA backend to send a

3 confirmation message to the user
Only registered
devices can be used
2FA backend sends a message (e.g. push) back to
4 the mobile app

5 Face recognition to identify the user

Mobile app signs the response and sends it to the

6 backend

Backend verifies via 2FA the signed response from

7 the mobile app

User identification

32
Antivirus

Viruses are usually spread unintentionally and unnoticed.

How should you protect yourself?

• Open attachments only if there are no doubts about the business use and the sender.

• Do not open any foreign or unsolicited files or programs.

Also be suspicious if the e-mail content from known senders is atypical, e.g. in a
language that is unusual for the sender.

• Never reply to suspicious e-mails.

Also, never click on suspicious links that are built into e-mails.

An antivirus software works by scanning incoming files or code being passed through
your network traffic. When files, programs, and applications are flowing in and out of
your computer, the antivirus compares them to its database to find matches.

Source: www.soscanhelp.com/blog/how-does-antivirus-work
33
Sandboxes
Sandboxing security techniques and tools enable to check suspicious software and files
into an isolated environment, a so-called sandbox.

Web Demilitarized Zone (DMZ) Corporate Network

Web Corporate Data Center

Upload

Sandbox
User

User Secure Mail Relay Exchange Server

34
Firewalls
A firewall is a kind of filter, between the computer and the Internet or any other form of
network to secure an environment against unauthorized access.
A firewall is a network security device that monitors incoming and outgoing network
traffic and decides whether to allow or block specific traffic based on a defined set of
security rules.
Firewalls have been a first line of defense in network security for over 25 years. They
establish a barrier between secured and controlled internal networks that can be trusted
and untrusted outside networks, such as the Internet.

LAN WAN: Wide Area Network

LAN: Local Area Network
Firewall

WAN
Internet
White listing :
allows information traffic
with identified entities
Black listing :
prevents information traffic
with entity

Source: www.cisco.com/c/en_uk/products/security/firewalls/what-is-a-firewall.html
35
Encryption
Confidential data sent to external parties must
be protected.
Encryption is the method that encodes data
that can be read only by the receiver and not by
the third party as an algorithm is used to
scramble or encrypt data and then uses again in
reverse order to unscramble and decrypt the
information or data.

Various types of cryptographic systems exist that have different strengths and weaknesses. Typically, they are divided
into two classes: those that are strong, but slow to run and those that are quick, but less secure. Most often a
combination of the two approaches is used.
Symmetric Cryptography
Symmetric Cryptography is the most traditional form of cryptography. In a symmetric cryptosystem, the involved
parties share a common secret (password, pass phrase, or key). Data is encrypted and decrypted using the same key.
These algorithms tend to be comparatively fast, but they cannot be used unless the involved parties have already
exchanged keys.
Asymmetric Cryptography (also called Public/Private Key Cryptography)
Asymmetric algorithms use two keys, one to encrypt the data, and either key to decrypt. These inter-dependent keys
are generated together. One is labeled the Public key and is distributed freely. The other is labeled the Private Key and
must be kept hidden.

Source: wiki.owasp.org/index.php/Guide_to_Cryptography#Cryptographic_Algorithms
36
Is it enough?

37
What is Cybersecurity?

Cybersecurity refers to the practice of safeguarding systems, computers and data

from digital attacks. These attacks often involve attempts to breach, modify, or
damage the target’s computer system, resulting in interruption or downtime for
services, theft of confidential or proprietary data and exposure of personal
information.
Source: techbootcamps.utexas.edu/blog/the-beginners-guide-to-cybersecurity/

Cyber attacks are unwelcome attempts to steal, expose, alter, disable or destroy
information through unauthorized access to computer systems.
Criminal organizations, state actors and private persons can launch cyber attacks
against enterprises. One way to classify cyber attack risks is by outsider versus
insider threats. Source: www.ibm.com/topics/cyber-attack

38
Cybersecurity Threats

Source: techbootcamps.utexas.edu/blog/the-beginners-guide-to-cybersecurity/
39
 Build cyber resilience
“Cyber-Attacken sind wie Radioaktivität”
"Cyber attacks are like radioactivity"

Source: Münchner Cyber Dialog 2016

Source: www.wired-gov.net/wg/news.nsf/articles/Cyber+resilience+How+important+is+your+reputation+How+effective+are+your+people+03082016161500?open
40
Detect and Prevent

Detect
• Definition of use cases to detect
anomalies
• Applying detection rules to detect
anomalies in systems or running
processes
• Management of alerts

Prevent

• Apply Vulnerability Management

• Server Patching
• Use collective experience (for
instance verification of new SW
package before 1st execution in a
sandbox)
• Whitelisting and Blacklisting

41
Security information and event management
Security information and event management (SIEM) technology supports threat detection,
compliance and security incident management through the collection and analysis (both
near real time and historical) of security events, as well as a wide variety of other event
and contextual data sources. The core capabilities are a broad scope of log event
collection and management, the ability to analyze log events and other data across
disparate sources, and operational capabilities (such as incident management, dashboards
and reporting).

Source: www.gartner.com/en/information-technology/glossary/security-information-and-event-management-siem

A SIEM comes in three basic types:

• In-house SIEM
• Cloud-based SIEM
• Managed SIEM

42
SIEM Functionalities

43
Example of a SIEM Use Case
Successful Host Login after Brute Force Attempts from a Single Source
If after at least 10 failed login attempts, there is a successful one, this rule gets triggered.

Signature IDs used in the rule

Description in the SIEM

This rule detects a successful login after brute force login attempts on a local host from a single source IP address.

Brute Force is a common attack method to "guess" login credentials. The attacker automates a process to send login
requests using a long list of common and inferred usernames and passwords. The attacker enumerates each possibility,
running the process until they find a match and are granted access. It's a rapidfire process, sometimes sending hundreds
or thousands of requests per second. In this case, a brute force login attempt on a host was detected, followed by a
successful login from the same source IP address.
Possible Action:
Immediately block access to the account and system, notifying the authorized user who to contact to restore their
credentials and reset their password. Review your security policy's number of maximum failed login attempts before a user
is locked out for the system accessed, revising if necessary. Investigate the characteristics of the attack and be able to
prevent similar ones in the future.

44
Vulnerability
Vulnerability management is the process of identifying, evaluating, treating, and
reporting on security vulnerabilities in systems and the software that runs on them.
This, implemented alongside with other security tactics, is vital for organizations to
prioritize possible threats and minimizing their "attack surface.“
Scanners rely on declared and constantly updated lists of recognized vulnerabilities.

Source: www.rapid7.com/fundamentals/vulnerability-management-and-scanning/
45
Types of Vulnerability Scanners

Network-Based Scans Host-Based Scans Wireless Scans Application Scans Database Scans

Identifies possible Finds vulnerabilities in Identifies rogue access Detects known Identifies weak
network security workstations, servers, points and validate that software vulnerabilities points in a database
attacks and vulnerable or other networks hosts, a company’s network is and mis-configurations
systems on networks and provides visibility securely configured in network or web apps
into configuration
settings and patch
history

Source: www.balbix.com/insights/what-to-know-about-vulnerability-scanning-and-tools/
46
Number of Vulnerabilities and Exposures over time

Source: www.cvedetails.com
47
Main Vulnerabilities known

CVSS: Common Vulnerability Scoring System

See: www.first.org/cvss/calculator/3.1

Source: www.cvedetails.com
48
Use of Vulnerabilities Management Services

New Hash No Yes

piece of Yes Known Malware
SW?
Executable
No Yes upload for No
dynamic
analysis

Malware
No
Execution
Yes Protection
rules

49
Methods to exploit vulnerabilities
Adversarial Tactics, Techniques, and Common Knowledge (ATT &CK)
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control

Source: attack.mitre.org/matrices/enterprise/
50
Zero Trust Access (ZTA)
never trust, always verify

Cloud
Services
TLS

Trust relationship

Authentication/
SSO Service

Authorisation User Machine

Policies Identities identities

SSO : Single Sign-On

TLS : Transport Layer Security Source: Network architectures - NCSC.GOV.UK
51
SASE
SASE = Secure Access Service Edge
A secure access service edge (SASE) is a term coined by analyst firm Gartner. SASE was promoted
for computer security in wide area networks (WANs) by delivering both as a cloud
computing service directly to the source of connection (user, device, branch office, Internet of
things (IoT) device, or edge computing location) rather than a data center.

Source: en.wikipedia.org/wiki/Secure_access_service_edge#cite_note-:0-2
52
Recognized frameworks
Standard Description
ISO 27000 series (ISO) Globally recognized standards for
information security management, focus
on governance, processes, controls
NIST Cybersecurity Framework for improving the
Framework (CSF) cybersecurity infrastructure.
Basis of FINMA requirements for
cybersecurity.
CIS Critical Security Catalogue of specific measures and
Controls (CSC) controls, similar to an implementation
manual for NIST CSF
Applicability
Guideline and basis for the ISMS (Information
security management system) to ensure
governance
Reference work for the definition of concrete
security requirements for IT. Complementary
to ISO 27000.
Ensuring Secure IT Operations, Identification
of Gaps
External reference for concrete improvement
measures, improvement, closing gaps
53
Content of the ISO 27002 standard

Source: www.iso27001security.com/html/27002.html
54
Norms and Standards
ISMS Supporting Guidelines and Code of Practice
• ISO/IEC 27002: Code of practice for information security management
• ISO/IEC 27003: ISMS implementation guidelines
• ISO/IEC 27004: Information security management measurements
• ISO/IEC 27005: Information security risk management
ISMS Accredited Certification and Auditing Standards
• ISO/IEC 27006: International accreditation guidelines for the accreditation of bodies operating
certification/registration of information security management systems
• ISO/IEC 27007: Guidelines for information security management systems auditing
• ISO/IEC 27008: Guidelines for auditors on ISMS controls
• ISO/IEC 27009: Sector-specific application of ISO/IEC 27001—requirements
• ISO/IEC 27021: Competence requirements information security management professionals
ISMS Sector Specific
• ISO/IEC 27010: Information security management for intersector and interorganisational
communications
• ISO/IEC 27011: Information security management guidelines for telecommunications organisations
based on ISO/IEC 27002
• ISO/IEC 27013: Guidelines on the integrated implementation of ISO/ IEC 27001 and ISO/IEC 20000-1
• ISO/IEC 27015: Information security management guidelines for financial services
• ISO/IEC 27017: Guidelines on information security controls for the use of cloud computing services
based on ISO/IEC 27002

Source: Edward Humphreys, Implementing the ISO/IEC 27001 ISMS Standard

55
Content of the NIST CSF
5 Functions with 23 Categories and 98 Controls

Function Category
Identifier Function Category
Identifier
CYBERSECURITY
ID.AM Asset Management FRAMEWORK
ID.BE Business Environment VERSION 1.1

ID.GV Governance
ID Identify ID.RA Risk Assessment
ID.RM Risk Management Strategy
ID.SC Supply Chain Risk Management
PR.AC Identity Management and Access Control
PR.AT Awareness and Training
PR.DS Data Security
PR Protect
PR.IP Information Protection Processes and Procedures
PR.MA Maintenance
PR.PT Protective Technology
DE.AE Anomalies and Events
DE Detect DE.CM Security Continuous Monitoring
DE.DP Detection Processes
RS.RP Response Planning
RS.CO Communications
RS Respond RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
RC.RP Recovery Planning
RC Recover RC.IM Improvements
RC.CO Communications

Source: www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework
56
CIS Controls

Basic Foundational Organizational

1 Inventory and Control 7 Email and Web 12 Boundary Defense 17 Implement a Security
of Hardware Assets Browser Protections Awareness and Training
Program

2 Inventory and Control 8 Malware Defenses 13 Data Protection 18 Application Software

of Software Assets Security

3 Continuous 9 Limitation, and Control

of Network Ports,
14 Controlled Access 19 Incident Response
Vulnerability Based on the Need and Management
Management Protocols, and Services to Know

4 Controlled Use 10 Data Recovery

Capabilities
15 Wireless Access 20 Penetration Tests and
Red Team Exercices
Of Administrative Control
Privileges

5 Secure Configuration for

Hardware and Software on
11
Mobile Devices, Laptops,
Workstations and Servers
Secure Configuration
For Network Devices,
16 Account Monitoring
And Control
Such as Firewalls,
Routers and Switches

6 Maintenance, Basic = Implementation required to achieve basic protection (47 measures).

Monitoring and
Analysis of Audit
Logs
Foundational = Recommended implementation (risk-based, 88 measures)
Organisational = Concerns people / processes, not technology (36 measures)

Source: www.cisecurity.org/spotlight/cybersecurity-spotlight-cis-controls
57
Assessing the Maturity Level

Capability Maturity Model Levels

Level 1 Level 2 Level 3 Level 4 Level 5
Initial Repeatable Defined Managed Optimized
Process for Risks to IT assets are Risks to the business
Cybersecurity risks are
Little to no cybersecurity cybersecurity risk identified and managed environment are
y

identified and continuously monitored

f

risk identification. Identification exists, but in a standard, well

nti
NIST Cybersecurity Framework Functions

proactively monitored on and incorporated into

it is immature. defined process. business decisions.
Ide

a periodic basis.

Data protection Data is a formally defined The environments is Protection standards are
Asset protection is mechanisms are proactively monitored
t

and protected in operationalized through

tec

reactive and ad hoc. implemented across the accordance with its via protective automation and
environment. technologies.
Pro

classification. advanced technologies.

Anomalies or events are Anomaly detection is A baseline of “normal” Continuous monitoring Direction and
activity is established monitoring solutions are
t

not detected or not established through and applied against program is established
tec

Detected in a timely detection tools and to detect threats in real- continuously learning
tools/procedures to behaviors and adjusting
De

Manner. monitoring procedures. better identify malicious time.

activity. detection capabilities.
An IR Plan defines Response times and The capabilities of all IT
The process for Analysis capabilities are steps for incident
d

responding to incidents applied consistently to impacts of incidents are personnel, procedures,

on

preparation, analysis, technologies are

is reactive or non- incidents by incident containment monitored and
sp

existent. Response (IR) roles. minimized. regularly tested and

eradication, and post-
Re

incident updated.

The process for Resiliency and recovery A Continuity & Disaster Recovery times and The capabilities of all IT
capabilities are applied Recovery Plan defines personnel, procedures,
r

recovering from impacts of incidents are

ve

incidents is reactive or consistently to incidents steps to continue critical monitored and technologies are
co

non-existent. impacting business functions and recover to minimized. regularly tested and
Re

operations. normal operations. updated.

Source: www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-a-guide-to-assessing-security-maturity.pdf
58
Security Architecture – As-Is

Security Mgmt Network Security

& Monitoring
CA
IAM Mail Gateway Firewall Issue of internal certificates
Management of external users Protection of the mail server and Protection of the entire network for encryption and signing of
(e.g. online customers) mail traffic and internal zoning network traffic
SIEM
Retention, correlation and
analysis of log files
WAF Web Gateway NAC
Protection of web application Protection of web browsing and Protecting the network from
and internet pages internet traffic unauthorised devices
DB Monitoring
Recording and analysis of
database queries Application Security / User Mgmt Server / Database / Client Security

ISMS Directory Services Endpoint Protection

Management system: linking
Remote Access
Identity and rights management for Malware detection , locking of USB/CD Remote access for staff and external
risks, controls, regulations
user management drives support
and measures

Single Sign-on
Application User Mgmt 2-factor login in workstation and User Awareness
Allocation of authorizations for core automatic, secure login in applications Sensitization of users to security
application and peripheral systems) issues

Patch Mgmt
Closing known vulnerabilities

• CA: Certificate Authority • IAM: Identity and Access Management

• SIEM: Security Information and Event Management • NAC: Network Admission Control
• ISMS: Information Security Management System • WAF: Web Application Firewall
• DB: Database • USB: Universal Serial Bus
• CD: Compact Disk
59
Example: Audit and Improve
Taking Measures to improve the security
Security Mgmt Network Security
& Monitoring
Web Secure Mail Network
IAM Gateway Firewall CA NAC / File Sandbox
DB transfer #7
SIEM Mail #8
Monitoring Firewall Policy Review
WAF Gateway Renew
Mgmt notwendig (End of life) #5

24/7 ISMS
Monitoring (Eramba) Application Security / User Mgmt Server / Database / Client Security
#3 Endpoint Single Patch Mgmt Remote
Directory Application Protection Sign-on Access
User Mgmt PAM
Services
#1
Endpoint Vulnerabilit User
Behaviour
Monitoring y Mgmt Awareness
Recertification File -based AV
#2 Monitoring
#6 #4 White-/black
listing #9

#1 Implement a Privileged Access Solution #6 Analyze a Software-supported solution to manage access rights

#2 Put a Vulnerability Management in place #7 Introduce sandboxing, which can be used in the internal and external
network boundaries
#3 Monitor SIEM 7/24 #8 Evaluate a secure mail system and a secure file transfer system

#4 Check accesses on file directories #9 Evaluate the possibilities for blacklisting / whitelisting of applications

#5 Define a cryptographic controls policy

60
Protection policy

Source: www.wrc.noaa.gov
61
Corporate Policies
Use of Emails
• Look for the following characteristics before you open an email: Do you know the
sender? Does the subject make sense? Are there programs disguised as documents
in the attachment, for example ending with .exe or .vbs?
• If one or more of these characteristics occur, report the e-mail in question to Security
using the "Report Phishing Mail Lucy" button
• Phishing e-mails pretend to be from a legitimate source
• Never reply to spam e-mails

Access Management
• Grant Access to information, applications and systems appropriately to a user’s
responsibilities
• Access will be controlled at least once a year

Security Information and Training

• Web-based training on a regular basis
• „Phishing“ internal security Mails to check the responsiveness of the users
• Information how to deal with and report lost or stolen devices
• Rules to use third party cloud or file sync services such as Gmail, Dropbox, et

62
Having IT Security in place
Major functions of IT Security

• Restrict data access

o Identification and Authentication
o Access Management
o Physical Accesses

• Prevent and secure data transfer

o Email
o Electronic Data Transfer

• Control transport media

o Physical Electronic Data Transfer
o Physical output distribution

63
IT Security covers different areas

Data security User and Access Management

Internet security, including virus protection, User Identification, including user name
Trojan protection and firewalls, plays a key role. User Authentication, like a password or using
Companies can go even further by blocking multifactor authentication
Internet sites, prohibiting downloads and taking Remote Access
other measures. Privileged Accesses, meaning special access or
Cloud security abilities above and
Data Download beyond that of a
Network Domains standard user like
system administrators

Physical Access Control Asset Management

Access exclusively for employees with key cards Workstations, Laptops, Tablets
or even NFC technologies. Mobile devices
Server Rooms with restricted access, alarms and Network Components
no windows Wireless Network
Data Center Security, USB Stick
Securing the racks and
network cables including
a biometric security access
and a mantrap entry room
NFC : Near Field Communication
64
Security Operations Center (SOC)

8:00

Working
hours

18:00

Non-working
hours

8:00

65
Threats and Answers from ISM
Threats
• Unauthorized access
• Unauthorized remote access
• System admin access
• Mobile device
• Login Attempts
• Logon Attempts
• Wireless access
• Wrong application accesses
• Unauthorized network access
• Data loss
• Unpermitted Data Download
• Malicious e-mails
• Wrong level of SW protection
• Sending confidential information
• User-Installed Software
• Virus, Worms, Bots
• Buffer overflow
• Head Spray
Answers from ISM
• Access Control for Mobile Devices
• Role-Based Security Training
• Penetration Testing
• Configuration Change Control
• Information System Backup
• Information System Recovery
• Identification and Authentication
• Privileged Access Management (PAM)
• Restricted Media Use
• Rules of Behavior
• System Maintenance Life Cycle
• Patching
• Public Key Infrastructure Certificates
• Client SW Engineering
• Anti-Spam Software
• Honeypots (trap for bots or hackers)
• Session Locking and Termination
• Sandboxes
• Whitelisting / Blacklisting
66
A battle lost in advance?
Zero-day Attack
"Zero-day" is a broad term that describes recently discovered security vulnerabilities that hackers
can use to attack systems. The term "zero-day" refers to the fact that the vendor or developer has
only just learned of the flaw – which means they have “zero days” to fix it. A zero-day attack takes
place when hackers exploit the flaw before developers have a chance to react.
Source: www.kaspersky.com/resource-center/definitions/zero-day-exploit

Dark web
The widespread availability of dark web
forums dedicated to freely sharing privacy-
enabling technologies, intrusion software and
exploitable code means global law
enforcement agencies face an uphill struggle.
There’s a growing number of technically-savvy
‘amateur hackers’ carrying out cyber-attacks,
though as yet they’ve had little impact. But for
businesses that means even the average
customer could buy a cyber-attack service
anonymously – or possibly learn to conduct
their own cyber-attack – without being caught.

Source: www.paconsulting.com/insights/why-the-dark-web-is-becoming-a-cyber-security-nightmare-for-businesses
67
Be alert

68
Take away and must know!

• The logic of Cyberattack

• Main Security Threats
• Main Protection Techniques
• Major Roles of IT Security
• Best Practices for Protection (prevent and detect)

69
Literature

• Dotson C. (2019) Practical Cloud Security - A Guide for Secure Design and Deployment.
O´REILLY, Sebastopol - CA
• Humphreys E (2016) Implementing the ISO/IEC 27001 ISMS Standard. ARTECH HOUSE,
Boston-London
• Jarpey G, Scott McCoy R. (2017) Security Operations Center Guidebook. Elsevier
• National Institute of Standards and Technology (2013) Security and Privacy Controls for
Federal Information Systems and Organizations, NIST Special Publication 800-53,
Gaithersburg
----------------------------------------------------------------------------------
• www.ncsc.admin.ch
• www.ebas.ch
• www.swisscom.ch/de/magazin/datensicherheit-infrastruktur/
• www.broadcom.com/support/security-center
• www.cisecurity.org
• www.itsecdb.com/oval/
• www.cvedetails.com
• attack.mitre.org/matrices/enterprise

70
 www.know-ledge.ch
View publication stats