Module 1

Module 1
Effective cybersecurity -defense.

Cyber crime world’s largest and fastest-growing

categories of crime.

Cyber criminals are responsible for more than $1

trillion USD in stolen funds and other assets.

Cybersecurity Ventures in 2024:

$9.5 trillion USD a year.
$793 billion USD a month.
$182.5 billion USD a week.
Why Start with Antipatterns?

Antipatterns employ psychological frameworks for solving problems whose

causes involve habitual mistakes.

Antipatterns require a mind shift from the dispassionate mindsets of

mathematics and engineering into the judgmental milieu of enterprise
architecture and organizational change

Antipatterns have been summarized by the quip

“Technology is not the problem…people are the problem.”

But, changing people’s minds is very difficult.
2
Background
According to software testing expert Boris Bezier, vendors release new software at
the earliest point

Patches are software updates that repair known defects

defect in one part of the software could affect any other part of the system

Many of the defects in patch updates are security related, either discovered
by the vendor, external security researchers, or from malware caught in the
wild.

automatic updates from operating system vendors, operating systems and

same-vendor applications are relatively well patched.
The key functionalities of a patch management solution include

automated patch detection,

testing,
deployment, and I
nstallation, ensuring systems are up-to-date and secure,
HP offers hardware and software solutions for better device management

IBM Corporation provides advanced analytics and cloud-based services to

optimize desktop performance

LANDesk and Altiris focus on endpoint management, ensuring security and

compliance.

Microsoft’s Windows operating system and Office 365 enhance compatibility

with various applications, promoting user productivity.

BMC and Broadcom specialize in IT service management, enabling

organizations to deliver effective support and incident resolution swiftly
Antipattern Solution
According to SANS Institute’s 2010 list of top security vulnerabilities, unpatched
applications are one of the biggest security risks

Add-on applications such as QuickTime for Windows, Acrobat, Chrome, and many
others are frequent sources of security warnings

The lag between the patch release and the installed update creates a vulnerability
window for attackers.

Announcement of the vulnerability and the binary patch gives attackers clues
about how to exploit the weakness.
Known Exceptions
If software product support has expired and there are no further vendor
updates, migration to a supported version is strongly recommended.

Each organization should maintain a list of approved standard versions of all

software applications.

Some vendors, will continue to support the product with security patches for
an additional fee
Refactored Solution and Examples

A first step toward managing your patches is obtaining an inventory of systems and
installed software packages

small networks, you can enable automatic updates on Windows and applications
such as Acrobat and Firefox

For other applications, such as video drivers, you might have to update from the
vendor’s website

Keep an eye on the US-CERT bulletins. I

If there are serious vulnerabilities announced for your applications, follow the
Patch Available links and install the patches
many shops are adopting vulnerability scanning tools, such as Retina from
eEye, Nessus from Tenable, and NeXpose from Rapid7.

Tools are often used for security certification testing prior to system release.

Vulnerability scanning is the process of identifying security weaknesses and

flaws in systems and software running on them.
Related Solutions
Some technically advanced organizations are using their data center provisioning
environments to assure patch management and policy configurations.

By creating locked-down standard system images, data centers are able to deploy
virtual servers which conform to security baselines, and perform mass updates to
these configurations to apply patches and other changes.
3. Never Read the Logs
Antipattern Solution

Network operating centers (NOC) are facilities with large colorful displays of
system and network status are monitored .

Is logging really working?

Are security devices really working?

The alerting rules are usually set to eliminate false positive alarms.

(test result that is incorrectly classified as positive)

For example, Intrusion Detection System (IDS) rules and Intrusion Prevention
Systems (IPS) that cause false alarms are disabled
A network operations center (NOC) is a centralized location where
computer, telecommunications, or satellite networks systems are monitored and
managed 24x7.
It is the first line of defense against network disruptions and failures.
Refactored Solution and Examples

Reading the logs is an essential periodic activity; without it, you miss a lot of
unusual, suspicious, and erroneous activity on your networks.

Depending on the criticality of the applications, it might be necessary to

review the logs daily or multiple times throughout the day.

Review the system security event logs, system logs, network device logs, and
IDS/IPS logs regularly.

Do not always depend on the versions in the centralized log manager, but
periodically audit the local logs and make sure that they are accurately
reflected in the central logs.
An event log is a file that contains information about usage and operations of
operating systems, applications or devices
System Log (syslog): a record of operating system events. It includes startup
messages, system changes, unexpected shutdowns, errors and warnings, and other
important processes.
Network device logging is the process of documenting every event that
takes place on a device
4 Networks Always Play by the Rules
Antipattern Solution
The Internet was not designed with security in mind

free security tool called Karma

Yersinia is a security research tool that generates network layer 2 attacks

Yersinia is a framework for performing layer 2 attacks. It is designed to take

advantage of some weakeness in different network protocols.
Refactored Solution and Examples
There are many inherent weaknesses in Internet technologies that you
cannot mitigate.

What you can do is use cybersecurity best practices to make your systems
hard targets.
For example, harden system configurations according to best-practice
guidelines.

Use the most advanced, updated solutions for antivirus, anti-spyware,

IDS, IPS, and Host-Based Security System (HBSS).

Configure systems such as Wi-Fi-enabled laptops to require host

authentication.

Engineer security into the system from the beginning of the

development lifecycle.
Related Solutions

Some authorities have argued for a

fundamental rethinking of the Internet with much stronger support for

delegation of trust and attribution of user actions.

How internet continue to evolve and what implications does this have for
future business models?

explore the impact of the internet on business models, the role of public and
private collaborations in enabling innovation, the key policy, governance and
security considerations that need to be addressed, and future implications
of the internet evolution
Hard on the Outside, Gooey in the Middle
Antipattern Solution

network architectures include three major domains:

the Internet boundary (or DMZ),
the data center Storage Area Network (SAN), and
the rest of the network (intranet).

Between the DMZ and intranet, there are network security devices,
including a firewall and possibly an IDS/IPS
most packet traffic is concentrated on very few outgoing ports, primarily:

53, 80, and 443

Botnet malware and browser-based spyware send beaconing packets from infected
machines inside the firewall to port 80 on external control servers.

To the firewall, these packets appear to be ordinary web traffic.

A beacon packet is the continuous transmission of signals in a beacon network

that advertises the base station's presence
Known Exceptions

For small networks, of perhaps fewer than 50 users, a traditional network

architecture might be workable.

However, additional measures, such as system hardening and HBSS, should

be implemented
Refactored Solution and Examples

For larger networks, with extensive information assets, intranet security should
be carefully designed.

Some tools perform periodic security vulnerability and configuration testing,

Retina from eEye

Nessus from Tenable

NeXpose from Rapid7

Webify Everything
Background

In computer technology’s crawl-walk-run evolution, it’s become

very trendy to eliminate installed applications entirely and rely on web-based
interfaces for everything.

Antipattern Solution

Cross site scripting (XSS)

The introduction of HTML 5.0 exacerbates(worse) security issues by adding facilities
for remote code execution and read-write access to local-browser client disks.
Supervisory Control and Data Acquisition (SCADA) systems are the core control
systems of machines, utilities, and manufacturing infrastructure.

Stuxnet worm—which proliferated widely in the Middle East and Asia but only
targeted very specific SCADA devices—proved that targeted attacks on SCADA
systems are much more than theoretical.

Stuxnet reportedly destroyed numerous

Iranian nuclear facilities.,by causing them to
burn themselves out

used to attack electro-mechanical equipment

Causes, Symptoms, and Consequences

Web browsers are a user interface platform for applications, called thin clients.

Users are in the habit of opening multiple browser tabs and connecting with
multiple websites.

Websites with malicious content are a significant and prevalent threat.

Malicious content (such as malware scripts) can be embedded in the site or

served up through advertisements supplied by third parties.
Refactored Solution and Examples
Software Virtual Private Networks (VPNs) provide out-of-band separation of
communications across public networks.

VPNs are a widely deployed technology; one wonders why VPNs aren’t used
universally.

Related Solutions
To prevent XSS and other attacks, the American Banker’s Association recommends
using a dedicated, physically separate computer for all financial transaction.
No Time for Security
Background
Security is usually the final consideration in the development of a system.

Sometimes security is left out altogether in the rush to get products out the door.

Antipattern Solution
developers, often wait until the end of the development lifecycle to address
security.

Near the date that the enterprise release process will test security vulnerabilities,
managers and developers begin a madcap cover-up process to obscure inherently
insecure software, user account, and configuration practices.
Refactored Solution and Examples
Security risks and requirements should be analyzed early in the development cycle at
the same time as functional requirements

Related Solutions
select security and audit controls using the

Committee on Sponsoring Organizations (COSO) and

Control Objectives for Information and Related Technology (COBIT)

frameworks for commercial systems and to satisfy Sarbanes Oxley requirements.

Module 2

Enterprise Security Using the Zachman

Framework
What Is Architecture? Why Do We Need It?

Architecture is the art and science of designing and constructing buildings,

structures, and complexes, as well as their appearance.
set of security principles, methods and models designed to align to your
objectives and help keep your organization safe from cyber threats.

Security architecture translates the business requirements to executable

security requirements.

each organization is different

Purpose is to protect the organization from cyber harm

Architect talk to the leaders and employees, seeking to understand

individual business goals, the requirements of systems, the needs
of your customers and other critical factors.
What is a security architecture framework?

generally considered a consistent set of principles and guidelines for

implementing security architecture at different levels of the business.

TOGAF: The Open Group Architecture Framework, or TOGAF, helps determine

what problems a business wants to solve with security architecture.

SABSA: Sherwood Applied Business Security Architecture, or SABSA, is a quite

policy driven framework that helps define key questions that must be answered by
security architecture: who, what, when and why

OSA: Open Security Architecture, or OSA, is a framework related to functionality

and technical security controls. It offers a comprehensive overview of key security
issues, principles, components and concepts
WHAT IS THE BENEFIT OF SECURITY
ARCHITECTURE?

1. Strong security architecture leads to fewer security breaches

2. Proactive security measures save money

3. It may help mitigate disciplinary measures in the event of a breach

Enterprises Are Complex and Changing
Here, the Senate and House of Representatives come together to discuss, debate and
deliberate national policy; develop consensus; and craft the country's laws.

The United States Capitol in Washington, D.C., is a symbol of the American

people and our government and the meeting place of the nation's legislature, the
U.S. Congress. The Capitol is a working office building, but it is also the place
where visitors from around the United States and the world come to learn about
American democracy.
Consider the United States Capitol in Washington, DC.

This is an immense legislative building of a very complex enterprise, the U.S.

federal government.

Consider the complexity of this building and all other Federal buildings.

Then consider the furniture inside, which is movable; the equipment, such as copy
machines and telephones; and finally the computers that are changing in real time
as new systems are added, relocated, upgraded, and updated.

the people, with their churning organization structure, personal relationships,

roles, responsibilities, knowledge, skills, and abilities

The federal government is an organization undergoing massive changes driven by

aggressive legislative deadlines and other environmental forces.

Because the government needs to change, they need an enterprise

architecture
The Zachman Framework is a widely used intellectual standard
used to analyze and represent enterprise architectures

The Zachman Framework, invented by John A. Zachman, is an

intellectual tool for describing enterprises
1992 from IBM

The columns are the six basic questions you could ask about any subject.
These interrogatives include: What? How? Where? Who? When? Why

The rows represent a general overview of the human roles.

The hierarchy of every complex enterprise has:

executives,
business management,
architects,
engineers,
technicians, and
users
Each row-column intersection in the Zachman Framework is
a cell to be populated with models and specifications, which
are representations of the enterprise.

Everyone has their own specifications. A populated row

represents the enterprise architecture from that row-wise
perspective
Primitive Models versus Composite Models
How Does the Zachman Framework Help with Cybersecurity?

risk executive - key stakeholder in enterprise investment decisions

The Zachman Framework

risk executive to have visibility in the enterprise in the context
of making wise decisions in order to manage the enterprise’s security risks

The risk executive ensures- IT system will consider security risk from day one

first actions that the risk executive should take is to establish an “auditor”
Everyone Has Their Own Specifications

Periodic Table of enterprise models

abstraction that helps you manage the real world

If the models are not meeting your needs or you don’t know how to organize them,
you can reorganize them using the Zachman Framework.

organize and define

inter-relate them to assess effects,
find commonalities
understand structure

Zachman Framework is a fruitful starting point for documenting it

The Goldmine Is in Row 2
Row 1 of the Zachman Framework contains exhaustive lists of enterprise
things, which are not inherently useful by themselves, but when they’re
turned into hierarchies in Row 2, enterprise and can navigate to clusters of
commonality

-Let us suppose every type of data your enterprise manages, or

every role in the enterprise, and every system

- helps business management make informed recommendations for

executive decisions.

-Row 2 models help people visualize the enterprise, you now have a new
basis for fact-based decision making.
Frameworks for Row 3 architect’s perspective

Do we know how to describe our enterprise and its systems

U.S. Department of Defense (DoD) choose the DoD Architecture Framework

(DoDAF),

People in commercial industry choose The Open Group Architecture

Framework (TOGAF),

People in the North Atlantic Treaty Organization (NATO) would choose the
British Ministry of Defense Architecture Framework (MoDAF)

The Row 3 frameworks generate mostly composite models which contain

independent viewpoints.

RM-ODP and the industry consortia driving its usage, the Telecommunication
Information Networking Architecture Consortium (TINA-C)
Architectural Problem Solving Patterns

The key techniques

1. Business Question Analysis:

Gather knowledge from enterprise subject matter experts

to find out what questions the business management has.

Analyze each question to understand which columns are involved to

answer the questions, and which columns need to be mapped to which
others.
2. Document Mining:

Obtain as much enterprise documentation as possible.

Choose a column and go through each document finding examples.

Keep a list of what you found, the enterprises’ text defining it, and the document
and page number where it can be found (for traceability).

Completing document mining for all the interrogatives will populate Row 1.
3. Hierarchy Formation:

Play a cards-on-the-wall exercise with small groups and organize each list
into a hierarchy, possibly inventing some new categories in the middle of
the tree.

Redraw this electronically and print it as a readable poster.

When complete, you have six hierarchies that populate Row 2

4. Enterprise Workshop:

Bring the posters and some binders with the Row 1 definitions to a workshop with
enterprise stakeholders.

Have the enterprise take ownership of the meeting and walk through each
hierarchy to validate the models.

This workshop is usually done one hierarchy at a time

5. Matrix Mining:
Carefully review the documents for cross-column relationships, that is, a
sentence involving more than one column.

Keep track of each relationship, including document, quoted text, and page
number.

Then conduct an enterprise workshop to validate the matrices

Procedure
Gather knowledge from enterprise SMEs to find out what questions the
business management has.

Analyze each question to understand which columns are involved to

answer the questions, and which columns need to be mapped to which
others.

This analysis determines which hierarchies and matrices are needed.

Vet the results with the customer leads.

Procedure
Most of the work is conducted outside of meetings.

Meetings are used to organize the overall efforts.

The Methodology SME advises on what information to collect to answer the

business questions.

The Task Lead directs the team to perform the mining.

Obtain as much enterprise documentation as possible.

Choose a column and go through each document to find examples. Keep a list of
what you find, the enterprises’ text defining it, and the document and page
number where it’s located (for traceability).

Completing document mining for all the interrogatives will populate Row 1.

Vet the results with the customer leads, after hierarchy formation
Background
Interviews are a weak data -information depends on one person’s opinion, which
varies by their personal situation each day.

Customer documents are usually multi-person products that are vetted.

The EA consultant always maintains traceability to the document sources.

Preparation
Put the names of the primitive entities generated by document mining
onto sticky notes or printed in a large font and cut into separate pieces

28-point Times New Roman works for tabletop.

72-point Times New Roman works for a sticky wall.

Include some information that ties each primitive back to the Excel listing
(the row number) or the source document (document name and page
number).
Procedure

Play a cards-on-the-wall exercise with small groups and organize

each list of primitives from the document mining into a hierarchy,
possibly inventing some new categories in the middle of the tree.

Redraw this electronically and print it as a readable poster. When

complete, you have six hierarchies which populate Row 2
Visio Hierarchy Diagram Technique
The first row should be ID 0, which is the root of the
hierarchy tree.

Then all rows with Super ID 0 are directly under the root.

Each new node has a unique ID number, and nodes that use
its ID as their Superior ID are child nodes.
Click Create
Click Next and then click Finish
Background
The customer review team is a larger group than the customer leads, whose
consensus will be required to proceed to implementing the problem solution.

The purpose of this workshop is to share information and build consensus by

soliciting input into the solution

Preparation
Create large-format posters for the hierarchies.

Prepare headings and items for the sticky wall.

72-point Times New Roman works for a sticky wall.

Include some information that ties each sticky wall item back to its
definition.
Procedure

Bring the posters and some binders with the Row 1 definitions
to a workshop with enterprise stakeholders.

Have the enterprise take ownership of the meeting and walk

through each hierarchy validating the models.

This workshop is usually done with one hierarchy at a time.

Background
Matrices are composite models that show relationships and effects
between columns of the Zachman Framework.

Preparation
Reuse the documents collected for document mining.

Procedure
Carefully review the documents for cross-column relationships—that is, a
sentence involving more than one column, for example, a role and a
process.

Keep track of each relationship, including document, quoted text, and the
page number.

Then conduct an enterprise workshop to validate the matrices

Background
The widely used meeting procedure called nominal group technique is only slightly
varied by collecting the ideas anonymously and redistributing them instead of having
each person read his or her idea in a round robin.

Preparation
The facilitator and business owner prepare a seed question that is written on a flipchart.
The facilitator brings slips of paper, spare pens, and wastebasket.
Procedure
The facilitator explains the technique and distributes slips of paper. The group silently
writes to the question for a set period, typically 5 or 10 minutes.

The facilitator directs the group to crumple up their ideas and throw them into the
wastebasket, which the facilitator playfully carries and tries to make a game of it.

The facilitator then redistributes the slips of paper randomly, and the papers are read
aloud round robin. As the papers are read, they are recorded on the flipchart by the
facilitator or someone in the recorder role.

The ideas are then numbered. The facilitator asks people to define the ideas, and asks
if there are any duplicates or ideas that should be combined. The final step is to take a
straw poll.

Have people pick the best two or three ideas and the facilitator calls for the votes and
records the results.

Review and conduct a focused discussion of the priorities generated. The discussion
could then transition to action planning.
Minipatterns for Problem Solving Meetings

These minipatterns are additional techniques to round out your meeting facilitation
skills.

Techniques such as breakouts and the idea parking lot are classic approaches for
conducting effective meetings

Get Organized If you have no agenda

brainstorm these two questions on a flipchart:

■ Why are we here?

■ What outcomes do we want?
Breakouts
Meetings are least productive when only one person talks and everyone else does
nothing but listen and take notes.

In general, people’s creativity is inhibited in groups larger than five.

The facilitator can ask that the group form small discussions to address a particular
question, and then have them report back their conclusions subgroup by subgroup.

Another approach is to quickly generate a list of topics or concerns and then have
each breakout take one problem to solve as a subgroup before debriefing the general
session
Flipcharts
Unlike a computer or a whiteboard, flipcharts give a group unlimited space
for creativity.

When a page of a flipchart is filled, it is moved and taped to a nearby wall.

Flipcharts are group notes; people do not need to be taking their own notes;
they can have their heads up and be fully engaged in the meeting.

Flipcharts are also highly portable, unlike whiteboards

Time Management

If you plan an agenda, plan the time of each meeting topic, and stick to it.
Or ask the group if they want to extend the time.

Assign a time keeper to remind the group.

Make sure there is a highly visible clock in the meeting room.

Time consciousness keeps people focused on problem solving.

Ground Rules
Have some ground rules for each meeting so that distractions are
minimized, and the group doesn’t waste time.

Idea Parking
Lot Post a separate flipchart to capture ideas that are outside the meeting’s
purpose.

Revisit these ideas at the end of the meeting and decide as a group how
they should be addressed.