Q-1 As a term, people, process, and technology (PPT) refers to the methodology in

which the balance of people, process, and technology drives action: People
perform a specific type of work for an organization using processes (and often,
technology) to streamline and improve these processes. What do you mean by
security awareness for people, process, and technology?

Security awareness for people, process, and technology refers to the efforts made
within an organization to educate and empower individuals, optimize processes,
and implement technological safeguards to enhance overall security posture. It's a
comprehensive approach aimed at promoting a culture of cybersecurity and risk
management. Here's what each component means in the context of security
awareness:

1. People: This aspect focuses on educating and raising awareness among employees,
contractors, and other individuals within the organization. It involves training them
on security best practices, recognizing potential threats (like phishing emails or
social engineering attempts), and emphasizing their role in maintaining security.
The goal is to cultivate a security-conscious workforce that understands the
importance of safeguarding sensitive data and can identify and report security
incidents.
2. Process: Security awareness for processes involves evaluating and refining
existing workflows and procedures to incorporate security measures seamlessly.
This might include reviewing access controls, data handling procedures, incident
response plans, and compliance with security policies and regulations. The aim is
to integrate security into daily operations and ensure that processes are resilient
against potential threats and vulnerabilities.
3. Technology: In this context, technology refers to the tools and systems used to
protect the organization's digital assets. Security awareness for technology entails
staying informed about the latest cybersecurity trends and solutions. It involves
implementing and maintaining security technologies like firewalls, intrusion
detection systems, encryption, and antivirus software. Additionally, it's about
educating the workforce on how to use these technologies effectively and securely.

Security awareness for people, process, and technology is essential because:

• Security is a shared responsibility: Everyone in the organization, from the CEO

to the newest intern, plays a role in maintaining security. Security awareness
ensures that each individual understands their responsibilities.
• Integration of security: By incorporating security into processes and
technologies, organizations can reduce vulnerabilities and respond more effectively
to threats.
• Adaptation to evolving threats: The threat landscape is continually changing.
Being aware of new threats and vulnerabilities is crucial for protecting an
organization's assets.
• Compliance and risk management: Security awareness helps organizations
comply with regulations and manage risks effectively by identifying and
addressing security gaps.

Overall, security awareness for people, process, and technology is a holistic

approach that aims to create a strong security culture within an organization, where
security is not seen as a separate function but as an integral part of everyday
operations.
Q-2 Access control is a method of guaranteeing that users are who they say they
are and that they have the appropriate access to company data. Companies often
grant access to information and assets to staff even if it is not relevant to that
member of staff’s role. Describe access control methodologies and implementation
for purpose of security? Give detailed justifications for your recommendations.

Access control is a critical component of information security that ensures only

authorized users have access to specific resources or data within an organization.
Implementing effective access control methodologies is crucial to safeguard
sensitive information and prevent unauthorized access. Below are some access
control methodologies and recommendations for their implementation, along with
justifications for each:

1. Role-Based Access Control (RBAC):

• Methodology: RBAC assigns access permissions based on job roles or
functions within the organization. Users are granted access based on their
roles, which simplifies administration.
• Implementation Recommendation: Develop a comprehensive list of job
roles within the organization, define their access requirements, and assign
appropriate permissions accordingly.
• Justification: RBAC reduces administrative overhead by tying access to job
roles, ensuring that users have the necessary access for their positions and
nothing more. This minimizes the risk of over-privileged accounts.
2. Attribute-Based Access Control (ABAC):
 • Methodology: ABAC uses a set of attributes and policies to determine
access. These attributes can include user characteristics, resource attributes,
and environmental conditions.
• Implementation Recommendation: Create a policy engine that evaluates
attributes such as user role, location, time of day, and device type to make
access decisions dynamically.
• Justification: ABAC offers fine-grained control by considering multiple
factors, allowing organizations to create highly tailored access policies. This
flexibility is valuable in complex environments.
3. Mandatory Access Control (MAC):
• Methodology: MAC enforces strict data classification and access controls
based on security labels. Access is granted based on predefined security
levels.
• Implementation Recommendation: Classify data into sensitivity levels
(e.g., confidential, secret, top secret) and implement access controls that
enforce the need-to-know principle.
• Justification: MAC is critical for protecting highly classified or regulated
data, as it ensures that data is only accessible to users with the appropriate
security clearance.
4. Discretionary Access Control (DAC):
• Methodology: DAC allows data owners to grant or revoke access to their
resources. Users have more control over access to their data.
• Implementation Recommendation: Educate users on responsible access
management and provide tools to easily set and modify permissions for their
files and resources.
• Justification: DAC is user-centric and suitable for environments where
users need flexibility in controlling access to their own data. However, it can
be risky if not properly managed, so user training is essential.
5. Role-Based Access Control with Separation of Duties (RBAC-SoD):
• Methodology: RBAC-SoD combines RBAC with policies that prevent
conflicting roles, ensuring that no single user has access to perform both
sensitive and critical tasks.
• Implementation Recommendation: Identify critical tasks and implement
policies that prohibit users from having roles that would create conflicts of
interest.
• Justification: RBAC-SoD mitigates insider threats and reduces the risk of
fraud by preventing users from performing conflicting roles, such as
authorizing and processing financial transactions.
6. Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA):
 • Methodology: These methods require users to provide multiple forms of
authentication before granting access.
• Implementation Recommendation: Implement 2FA or MFA for sensitive
systems and data, especially for remote access or critical applications.
• Justification: 2FA and MFA enhance security by adding an extra layer of
authentication, making it more difficult for attackers to gain unauthorized
access even if they have compromised login credentials.
7. Continuous Monitoring and Auditing:
• Methodology: Regularly monitor user access and conduct audits to detect
and respond to suspicious activities.
• Implementation Recommendation: Deploy security information and event
management (SIEM) systems and set up automated alerts for unusual access
patterns.
• Justification: Continuous monitoring and auditing are crucial for
identifying and responding to security incidents promptly, ensuring that
access control policies remain effective over time.
8. Access Revocation and De-provisioning:
• Methodology: Implement procedures for promptly revoking access when
employees change roles, leave the organization, or no longer require access.
• Implementation Recommendation: Integrate access revocation processes
into HR and IT onboarding and offboarding workflows.
• Justification: Timely access revocation reduces the risk of insider threats
and ensures that former employees or contractors cannot access sensitive
data after leaving the organization.
9. Regular Security Awareness Training:
• Methodology: Educate employees about the importance of access control,
security best practices, and the risks associated with unauthorized access.
• Implementation Recommendation: Conduct regular security awareness
training sessions and simulate phishing attacks to reinforce good security
habits.
• Justification: Well-informed employees are more likely to adhere to access
control policies and help protect the organization against social engineering
attacks.

In conclusion, effective access control is vital for maintaining the confidentiality,

integrity, and availability of company data. The choice of methodology and its
implementation should align with the organization's specific needs, risk tolerance,
and regulatory requirements. A well-designed access control system reduces
security risks, improves operational efficiency, and helps organizations maintain
compliance with data protection regulations.
Q-3 Bangladesh Bank is the central bank of Bangladesh, responsible for managing
the country's monetary and financial stability. In February 2016, cybercriminals
launched a sophisticated attack on the bank's foreign exchange reserves, attempting
to steal hundreds of millions of dollars. Incident Details: SWIFT Transactions: The
attackers used the Society for Worldwide Interbank Financial Telecommunication
(SWIFT) network to initiate fraudulent fund transfers. They sent multiple payment
requests to the Federal Reserve Bank of New York, requesting the transfer of
approximately $951 million from Bangladesh Bank's account to various accounts
in the Philippines and Sri Lanka. Authentication Bypass: The cybercriminals
managed to compromise the bank's SWIFT terminal and gain access to the SWIFT
system using stolen credentials. They were able to manipulate SWIFT messages to
make the transactions appear legitimate. Errors Detected: A few of the fraudulent
transfer requests contained spelling errors that raised suspicions at the Federal
Reserve Bank. This prompted further scrutiny. Prevented Losses: While the
attackers successfully transferred $81 million to the Philippines, an alert official at
the Federal Reserve Bank noticed the spelling errors in subsequent transfer
requests. This raised suspicions and led to the cancellation of several transactions,
preventing further losses. Investigation: After the attack was discovered,
Bangladesh Bank launched an investigation and sought assistance from law
enforcement agencies and cybersecurity experts. Consequences: Bangladesh Bank
lost approximately $81 million in the successful transactions. The incident raised
concerns about the security of the global financial system and the vulnerabilities in
SWIFT's infrastructure. It also highlighted the importance of cybersecurity for
financial institutions worldwide. Attribution: While the cybercriminals responsible
for the Bangladesh Bank heist were never conclusively identified, there have been
suspicions that North Korean hackers, specifically the Lazarus Group, were
involved due to similarities with other attacks attributed to them.
a. In the Bangladesh Bank Cyber Heist case, what were the key vulnerabilities and
security lapses that allowed the cybercriminals to compromise the bank's systems
and attempt a fraudulent transfer of funds? Provide specific examples from the
case to support your answer.
b. Discuss the role of international cooperation and information sharing in
responding to cyber attacks on financial institutions, as illustrated by the
Bangladesh Bank Cyber Heist. What lessons can be drawn from this case regarding
the importance of cross-border cooperation in cybersecurity?