Lecture 1.

Principles of Cybersecurity

COURSE DATA PROTECTION & CYBERSECURITY

Sergio Pastrana
 Topics
• Introduction to Cybersecurity

• Goals of Cybersecurity

• Principles of Cybersecurity

• Security Policy

Sergio Pastrana
 Cybersecurity
Definition: The ability to protect or defend the use of cyberspace
from cyber attacks.
Cyberspace:
Environment made up of digitalized data that is created, stored
and shared.
Composed by:
Computers, systems and infrastructures.
People.
Physical systems that depend on computing and networks.

Sergio Pastrana
 Cybersecurity

Different domains of Cybersecurity

Source: ENISA. Definition of Cybersecurity - Gaps and overlaps in standardisation

4
Sergio Pastrana
 Cybersecurity
Communications security:
“Protection against a threat to the technical infrastructure of a
cyber system which may lead to an alteration of its
characteristics in order to carry out activities which were not
intended by its owners, designers or users.”

Information Security:
“Protection against the threat of theft, deletion or alteration of
stored or transmitted data within a cyber system.” ENISA
“Preservation of confidentiality, integrity and availability of
information.” ISO/IEC 27000

Sergio Pastrana
 Cybersecurity: Goals
Classical security goals: CIA Triad

ty
ali

Int
nti

eg
de

rity
CIA
nfi
Co

Availability
But also…
Privacy Authentication Access Control
Fairness
Non-repudiation Resilience
Authorization

Sergio Pastrana
 Confidentiality
• Ensuring that information is not accessed by
unauthorized persons
– Prevent unauthorised disclosure of information.
– Property of the information of being secret:
• Examples
– Send your pictures to your friend through instant
messaging app.
• You and your friend.
– Send your pictures to Facebook through social networks
• You and Facebook.
– Send your medical records to the hospital for disease
assessment.
• You and the hospital.
Sergio Pastrana
 Privacy
• Right of an individual to have some control over how
personal data is collected, used and disclosed
– EU General Data Protection Regulation (GPDR)
– Privacy policies!
• Property of your personal data being properly managed
and safeguarded
• Review of examples
– Send your pictures to your friend through instant messaging
app.
• Your friend discloses your app to everyone in you school
– Send your pictures to Facebook through social networks
• Facebook sells your data to political parties for targeted adverts
– Send your medical records to the hospital for disease
assessment
• A data breach leaks your data in public forums

Sergio Pastrana
 Privacy in Big Data scenarios

• ”I accept that anonymous data can be used for research”

• Big Data processing is highly demanding: cloud computing
• But if personal data is being sent to the cloud, how it is
protected?
• Two confronting goals:
– Full data -> Important for the processing, risk for privacy
– Partial data -> Safest from privacy, worse from accuracy
– Also, how can we trust the cloud provider?

9
Sergio Pastrana
 Integrity
• Detection (and correction) of intentional and
accidental modifications of data in a computer
system
• Various examples of modification
– Corruption of hard drive
– Changing course grades by breaking into
university records
– Transferring money from one account to another
account fraudulently

Sergio Pastrana
 Availability
• The property that a product’s services are accessible when
needed and without undue delay

• Denial of Service is the prevention of authorised access of

resources or the delaying of time-critical operations

• Distributed Denial of Service occurs when multiple sources

contribute to denial of service simultaneously

Sergio Pastrana
 Authenticity
• Ensuring that users are the persons they claim to be

• Three common factors used for authentication:

– Something you know (such as a password)
– Something you have (such as a smart card)
– Something you are (such as a fingerprint or other
biometric method)

Sergio Pastrana
 Accountability
• Audit information must be selectively kept and protected
so that actions affecting security can be traced to the
responsible party

• Users are identified and authenticated to have a basis for

access control decisions

• The security system keeps an audit log (audit trail) of

security relevant events to detect and investigate intrusions

Sergio Pastrana
 Principles of Cybersecurity
• Govern: Identifying and managing security risks.
– Know your assets, know your people, know your adversary
• Protect: Implementing security controls to reduce security
risks.
– Patch vulnerabilities, back-up data, access control policy, etc.
• Detect: Detecting and understanding cyber security events.
– Understand what is normal, and what is malicious
• Respond: Responding to and recovering from cyber security
incidents.
– Increase resilience, prompt incident response.

14
Sergio Pastrana
 Principles of Cybersecurity
Security mechanisms:
– Prevention: measures to prepare your infrastructure and
prevent your assets from being damaged
• Firewall rules, user awareness, password policy, antivirus,
encryption, etc.
– Detection: measures to analyse and detect when, how, and
by whom an asset has been damaged
• Intrusion Detection Systems, system logs, forensic analysis, etc.
– Reaction/recovery: take measures so that you can recover
your assets or mitigate the damage to your assets
• Restore backups, disable breached accounts, block connections,
etc.
– Others
• Post-incident analysis, threat-intelligence collection, staff training,
etc.

Sergio Pastrana
 Principles of Cybersecurity
Security

Functionality Usability

• Security, functionality and usability linked together ?

– Increasing Security hampers functionality & usability
– Most secure computer is the one not plugged (in and
buried in 30 cubic feet of concrete!)

Sergio Pastrana
 Principles of Cybersecurity

applications
services (middleware)
operating system
OS kernel
hardware

• Where to place security controls?

– Lower layers offer more generic control
– Higher layers allow most functionality and ease of use
(addressing individual user requirements)
Sergio Pastrana
 Cyberthreats

18
Sergio Pastrana
 Cyberthreat real-time map

Are we safe?

Who is attacking others?

https://cybermap.kaspersky.com

19
Sergio Pastrana
 Some statistics (I)

https://www.varonis.com/blog/cybersecurity-statistics/

20
Sergio Pastrana
 Some statistics (II)

21
Sergio Pastrana
 Some statistics (III)

22
Sergio Pastrana
 Some statistics (IV)

23
Sergio Pastrana
 And one fact…

24
Sergio Pastrana
 …with example

25
Sergio Pastrana
 Homework

• Search in the news for a recent (i.e., last 10-20 days)

cybersecurity-related incident.
• Analyse: type of attack, type of victim, consequences (social,
economic, reputational, etc.).
• Fill the Google form with the info:
https://forms.gle/R6iLVRkJcUZaUz4n7
• We will discuss and comment some of these in class (next
Thursday), and also in the web forum.

26
Sergio Pastrana
COURSE DATA PROTECTION & CYBERSECURITY