UCCN 1213 / UCCN1223

Information Security Best

Practices
Well-known Cybersecurity Breach

 Panama Papers (2016)

 Solarwinds Supply Chain Attack
 Pandora Papers (2021)
 Malaysia - JPN user database for sale in the
Dark Web (https://says.com/my/tech/jpn-database-has-
allegedly-been-leaked-with-4-million-citizens-info-selling-for-rm35k )
Panama Papers
 11.5 million leaked documents (or 2.6 terabytes
of data) that were published beginning on April
3, 2016
 Detail financial and attorney–client information
for more than 214,488 offshore entities
 The documents contain personal financial
information about wealthy individuals and public
officials that had previously been kept private
 Taken from, former Panamanian offshore law
firm and corporate service provider Mossack
Fonseca
 The documents were leaked anonymously to the
German newspaper Süddeutsche Zeitung (SZ).
 Most of the documents showed no illegal
actions, but some of the shell corporations set
up by Mossack Fonseca had been used for
fraud, tax evasion, or avoiding international
sanctions.
 At least 1,784 Malaysian individuals or master
clients and another 517 offshore entities listed
Panama Papers – Security Analysis
 The company had not been encrypting its emails
and furthermore seemed to have been running a
three-year-old version of Drupal (web content
management system) with several known
vulnerabilities.
 The content management system had not been
secured from SQL injection, a well-known database
attack vector, and that he had been able to access
the customer database because of this
 The network architecture was also inherently
insecure; the email and web servers were not
segmented from the client database in any way.
 Some parts of the site may have been running
WordPress with an out-of-date version of Slider
Revolution, a plugin whose previously-
announced vulnerabilities are well-documented.
 Client login portal was running four different
government grade remote access trojans (RATs)
– software that contains backdoors into the
system
 Too many open ports into their infrastructure
and internet access to their archive server due
to weak security
Solarwinds Supply Chain Attack
 Speculated that it may have been an
exposed server, unpatched software, or even
simple account takeover using password
spraying (Brute Force – due to weak
passwords) or stolen credentials
 Once inside, the attackers were able to
modify the build process and inject malicious
code into versions of SolarWinds’ Orion
software platform released between March
and June of 2020.
 SolarWinds Orion software updates delivered
the SUNBURST trojan to more than 18,000
customers, including major enterprises and
government agencies.
 Attackers used their access to steal identities
and tokens to impersonate real users,
sidestep multi-factor authentication, and
extend their foothold within affected
networks.
Pandora Papers
 11.9 million leaked documents with 2.9
terabytes of data that the International
Consortium of Investigative Journalists (ICIJ)
published beginning on 3 October 2021
 The leak exposed the secret offshore
accounts of 35 world leaders, including
current and former presidents, prime
ministers, and heads of state as well as more
than 100 billionaires, celebrities, and
business leaders.
 The leaked files come from 14 offshore
service providers that help clients establish
companies in secrecy jurisdictions.
 More than 600 journalists in 117 countries
have been trawling through the files
 Several high profile Malaysian officials are
listed in the leaked files
JPN user database for sale in the
Dark Web
 Alleged JPN Database Leak Leaves 4 Million
Citizens' Info Being Sold For RM35,500
 Data is currently listed for sale on a
"database sharing and marketplace forum".
 The website (in the Darkweb) is only
accessible after using a virtual private
network (VPN).
 Total data is almost 4 million equal to
31.8GB, group by birth year from 1998 to
1979
Questions to Consider

 Who are the victims?

 The high profile officials whose offshore account
information were expose by the Panama Papers /
Pandora Papers?
 Customers of Solarwinds? (eg. Microsoft, Cisco,
Intel, several US federal departments)
 The hacked organization eg. Solarwinds,
Mossack Fonseca, JPN?
 Who has committed an offence?
 The state-sponsor hackers?
 The hacked organizations: Because they did not
sufficiently secure their system?
 The high profile officials whose offshore account
information were expose by the Panama Papers /
Pandora Papers?
Legal Issues – Actions from the
federal/national level
Cybersecurity Laws in Malaysia

 Copyright (Amendment) Act 1997

 To make unauthorised transmission of copyright
works over the Internet an infringement of
copyright.
 It is also an infringement of copyright to
circumvent any effective technological measures
aimed at restricting access to copyright works.
 Computer Crimes Act 1997
 Deals with unauthorised access to computer
material, unauthorised access with intent to
commit other offences and unauthorised
modification of computer contents.
 Digital Signature Act 1997
 Provides a framework for the licensing and
regulation of Certification Authorities, and gives
legal recognition to digital signatures.
 Telemedicine Act 1997
 Communications and Multimedia Act 1998
 Electronic Commerce Act 2006
 Electronic Government Activities Act 2007
 Personal Data Protection Act 2010
 Regulate the processing of personal data in
commercial transactions
Relevant U.S. Laws
 Computer Fraud and Abuse Act of 1986 (CFA
Act):
 18 U.S. Code § 1030 - Fraud and related activity
in connection with computers
 Computer espionage
 Computer trespassing
 Committing fraud with computer
 Damaging a protected computer (including viruses,
worms)
 Trafficking in passwords
 Threatening to damage a protected computer
 Conspiracy to violate
 Identity Theft
 Federal Trade Commission: “occurring when
someone uses your personally identifying
information, like your name, Social Security
number, or credit card number, without your
permission, to commit fraud or other crimes”
 Fraud And Related Activity In Connection With
Identification Documents, Authentication
Features, And Information (Title 18, U.S.C. §
1028)
 Digital Millennium Copyright Act (DMCA)
 U.S. contribution to international effort to reduce
impact of copyright, trademark, and privacy
infringement
 Prohibits
 Circumvention of protections and countermeasures
 Manufacture and trafficking of devices used to circumvent
such protections
 Prohibits altering information attached or imbedded in
copyrighted material
Relevant Cybersecurity Regulatory
Agency/Body in Malaysia
 Cybersecurity Malaysia
 Digital Forensics
 Information Security Certification Body
 Information Security Management & Assurance
 Research
 Cryptography development
 MALAYSIAN COMMUNICATIONS AND
MULTIMEDIA COMMISSION
 Implement and enforce the provisions of the
communications and multimedia law
 Regulate all matters relating to communications
and multimedia activities
 Supervise and monitor communications and
multimedia activities
Malaysia (MBOT)

 Malaysia Board of Technologists (MBOT) is a

professional body established in 2015 that
gives Professional Recognition to
Technologists and Technicians in related
technology and technical fields.
 UTAR FICT graduates are eligible to register
under MBOT as a Graduate Technologist
 Vision: To be a world class professional body
for technologists and technicians.
 Mission: To elevate the standing, visibility
and recognition of technologists and
technicians.
 Objective: To increase the pool of skilled
workforce required to attain a high income
economy, and to protect public safety and
health
International Professional Bodies

 Association of Computing Machinery (ACM)

 Established in 1947 as “the world's first
educational and scientific computing society”
 Code of ethics contains references to protecting
information confidentiality, causing no harm,
protecting others’ privacy, and respecting others’
intellectual property
 System Administration, Networking, and
Security Institute (SANS)
 Professional organization with a large
membership dedicated to protection of information
and systems
 SANS offers set of certifications called Global
Information Assurance Certification (GIAC)
Key U.S. Federal Agencies
 Department of Homeland Security (DHS)
 Made up of five directorates, or divisions
 Mission is to protect the people as well as the physical and
informational assets of the US
 Federal Bureau of Investigation’s National InfraGard
Program
 Maintains an intrusion alert network
 Maintains a secure Web site for communication about
suspicious activity or intrusions
 Sponsors local chapter activities
 Operates a help desk for questions
 National Security Agency (NSA)
 Is the Nation’s cryptologic organization

 Protects US information systems

 Produces foreign intelligence information

 Responsible for signal intelligence and

information system security

 U.S. Secret Service
 In addition to protective services, charged

with the detection and arrest of persons

committing a federal office relating to
computer fraud or false identification
Cross Border Enforcement
 Two men held in Perak to be extradited to US
over cybercrime - Bukit Aman (
https://www.astroawani.com/berita-malaysia/two
-men-held-perak-be-extradited-us-over-cybercri
me-bukit-aman-259874
)
 Extradition Act 1992, Article 11(4) of the
Extradition Treaty
 Wanted by the US authorities for committing the
crime in that country
 The two suspects, who were allegedly running
an illegal business selling gaming artefacts such
as kit and credit in the United States
 Romanian Cybercrime Suspects Extradited to Face US
Charges (
https://www.bankinfosecurity.com/romanian-cybercrime-su
spects-extradited-to-face-us-charges-a-9594
)
 Three Romanian men accused of running a cybercrime
ring that used custom-built "Bayrob" malware and money
mules to steal at least $4 million from victims have been
extradited to face charges in the United States.
 They were extradited to the United States, following an
eight-year investigation led by the FBI, which included
assistance from the Romanian National Police.
IT Risk Management:

1) How much should an

organization/company invest for
cybersecurity?
2) How much should be done to prevent
a cyberattack?
An Overview of Risk Management
 Know yourself: identify, examine, and
understand the information and systems
currently in place
 Know the enemy: identify, examine, and
understand threats facing the organization
 Responsibility of each department/division
within an organization to manage risks that
are encountered

34
Figure 4-1 Components of Risk Management

35
Risk Identification
 Risk management involves identifying, classifying,
and prioritizing an organization’s assets
 A threat assessment process identifies and
quantifies the risks facing each asset
 Components of risk identification
 People
 Procedures
 Data
 Software
 Hardware

36
Information Asset Valuation
 Questions help develop criteria for asset
valuation
 Which information asset:
 Is most critical to organization’s success?
 Generates the most revenue/profitability?
 Would be most expensive to replace or protect?
 Would be the most embarrassing or cause
greatest liability if revealed?

37
Identifying and Prioritizing Threats
 Realistic threats need investigation;
unimportant threats are set aside
 Threat assessment:
 Which threats present danger to assets?
 Which threats represent the most danger to
information?
 How much would it cost to recover from attack?
 Which threat requires greatest expenditure to
prevent?

38
Risk Assessment
 Risk assessment evaluates the relative risk
for each vulnerability
 Assigns a risk rating or score to each
information asset
 The goal is to create a method for evaluating
the relative risk of each listed vulnerability

39
Likelihood
 The probability that a specific vulnerability will be the
object of a successful attack
 Assign numeric value: number between 0.1 (low)
and 1.0 (high), or a number between 1 and 100
 Zero not used since vulnerabilities with zero
likelihood are removed from asset/vulnerability list
 Use selected rating model consistently
 Use external references for values that have been
reviewed/adjusted for your circumstances

40
Risk Determination
 For the purpose of relative risk assessment:
 Risk EQUALS
 The likelihood of vulnerability occurrence
 TIMES value (or impact)
 MINUS percentage risk already controlled
 PLUS an element of uncertainty

41
Example
 Information asset A has a value score of 50 and has
one vulnerability. Vulnerability 1 has a likelihood of 1.0
with no current controls. You estimate that
assumptions and data are 90 percent accurate.
 Asset A: Risk rating of vulnerability 1 rated as

Risk = likelihood x asset value – current control %

+ uncertainty %
Risk = (1.0 x 50) – ((1.0 x 50) x 0.0) + ((1.0 x 50) x 0.1)
= 55
Identify Possible Controls
 For each threat and associated vulnerabilities that
have residual risk, create preliminary list of control
ideas
 Residual risk is risk that remains to information
asset even after existing control has been applied
 There are three general categories of controls:
 Policies
 Programs
 Technologies

43
Risk Control Strategies
 Five strategies to control risk:
 Defend - Apply safeguards that eliminate or reduce
the remaining uncontrolled risks for the vulnerability
 Transfer - Transfer the risk to other areas or to outside
entities
 Mitigate - Reduce the impact should the vulnerability
be exploited
 Accept - Inform themselves of all of the consequences
and accept the risk without control or mitigation
 Terminate

44
Defend
 Attempts to prevent exploitation of the vulnerability
 Preferred approach
 Accomplished through countering threats, removing
asset vulnerabilities, limiting asset access, and
adding protective safeguards
 Three common methods of risk avoidance:
 Application of policy
 Training and education
 Applying technology

45
Transfer
 Control approach that attempts to shift risk to
other assets, processes, or organizations
 If lacking, organization should hire
individuals/firms that provide security
management and administration expertise
 Organization may then transfer risk
associated with management of complex
systems to another organization experienced
in dealing with those risks
46
Mitigate
 Attempts to reduce impact of vulnerability
exploitation through planning and preparation
 Approach includes three types of plans
 Incident response plan (IRP): define the actions to
take while incident is in progress
 Disaster recovery plan (DRP): most common
mitigation procedure
 Business continuity plan (BCP): encompasses
continuation of business activities if catastrophic
event occurs
47
Accept
 Doing nothing to protect a vulnerability and
accepting the outcome of its exploitation
 Valid only when the particular function,
service, information, or asset does not justify
cost of protection

48
Terminate
 Directs the organization to avoid those
business activities that introduce
uncontrollable risks
 May seek an alternate mechanism to meet
customer needs

49
Feasibility Studies
 Before deciding on strategy, all information
about economic/noneconomic consequences
of vulnerability of information asset must be
explored
 A number of ways exist to determine
advantage of a specific control

50
Cost Benefit Analysis (CBA)
 Begun by evaluating worth of assets to be protected
and the loss in value if they are compromised
 The formal process to document this is called cost
benefit analysis or economic feasibility study
 Items that affect cost of a control or safeguard
include: cost of development or acquisition; training
fees; implementation cost; service costs; cost of
maintenance
 Benefit: value an organization realizes using
controls to prevent losses from a vulnerability

51
Cost Benefit Analysis (CBA)
(cont’d.)
 Asset valuation: process of assigning financial value
or worth to each information asset
 Process result is estimate of potential loss per risk
 Expected loss per risk stated in the following
equation:
 Annualized loss expectancy (ALE) =
single loss expectancy (SLE) ×
annualized rate of occurrence (ARO)
 SLE = asset value × exposure factor (EF)

52
 CCNA Security
(Study Guide) Tim
Boyles
Benchmarking and Best Practices
 An alternative approach to risk management
 Benchmarking: process of seeking out and studying practices in
other organizations that one’s own organization desires to
duplicate
 One of two measures typically used to compare practices:
 Metrics-based measures - measures are comparisons based on
numerical standards, such as:
 Numbers of successful attacks
 Staff-hours spent on systems protection
 Dollars spent on protection
 Numbers of security personnel
 Estimated losses in dollars of information due to successful attacks
 Loss in productivity hours associated with successful attacks
 Process-based measures
 generally less number-focused and more strategic than metrics-based measures
 primary focus is the method the organization uses to accomplish a particular
process, rather than the outcome

54
Policy and Risks
Management

What can be done to

defend/minimize/mitigate
cyberattacks?

55
Function of Policy
 Defines what security should be within an
organization
 defines the proper mechanisms to use to protect
information and systems -> e.g. configurations on
computer systems
 defines how employees should perform security related
duties
 defines how employees are expected to behave when
using organization computer systems
 defines how organizations should react when things do
not go as expected

56
Policies
 Many different types of policies and procedures
are available:
 Information policy
 Security policy
 Computer usage policy
 Internet usage policy
 E-mail policy
 Backup policy
 User management procedure
 System administration procedure
 Incident response procedure
57
Information Policy
 Defines what is considered sensitive information
within an organization and how that information
should be protected
 For an organization, payroll and medical insurance
information, company financial information
 For a university, students’ records, examination
questions, teaching records
 Example: Information accessible to lecturers vs.
information accessible to students in the university

58
Security Policy – user control
 It defines how a system or network administrator
should configure a system securely
 requirements in the policy should be communicated to
the general user community
 The security policy should define how users will
be identified, such as user IDs
 Also define authentication mechanism to be used for
normal system users and administrators
 If password, then the policy should also define the
minimum password length, the maximum and minimum
password ages, and password content requirements
 Example: Lecturer ID card vs Student ID card,
Lecturer login vs Student login

59
Security Policy – files control
 Should define the standard requirement for file access
controls. Two requirements should be defined:
 user-defined access control
 must be available for each file on a computer system and should
work with the authentication mechanism to make sure that only
authorized users can gain access to files
 allow for specifying which users have access to files for read, write,
and execute permissions
 Example: Any files from a company’s workstation that are
transferred/copied to an external drive/network/email
(outside the company’s domain) will be automatically
encrypted

60
Security Policy - audit
 Define the types of events to be audited on all systems.
Normally, the following events are audited:
 Logins (successful and failed)
 Logouts
 Failed access to files or system objects
 Remote access (successful and failed)
 Privileged actions (those performed by administrators, both
successes and failures)
 System events (such as shutdowns and reboots)
 The security policy should specify
 how long the audit records should be kept and how they should be
stored
 how they should be reviewed and examined, including how often

61
Security Policy - network
 Should specify the rules for network connectivity
 Example: Usage of VPN to access the university’s
library database
 For Permanent network connections
 Firewall should be used to protect the internal network
 Policy should define a basic network access control
policy to be implemented on the firewall
 Example: All network connection within the
university’s campus has to be through the proxy
server

62
Security Policy - antivirus
 Should specify details about security programs
(antivirus software)
 Installed at locations like file servers, and e-mail servers
 requirement for security programs to examine specific
file types and to check files when they are opened or on
a scheduled basis
 require updates of signatures for security programs on a
periodic basis

63
Security Policy – data security
 Should define acceptable encryption algorithms
for sensitive data
 for use within the organization to protect sensitive
information
 should also specify the required procedures for key
management

64
Internet Usage Policy
 The Internet use policy defines the appropriate
uses of the Internet (business sites, e-mail, etc)
 can be included in the more general computer use
policy or as a separate policy
 may also define inappropriate uses (such as visiting
non-business-related Web sites, downloading
copyrighted software, trading music files, or sending
chain letters)
 Example: Internet traffic and usage within the
University are monitored.
65
E-mail Policy
 E-mail leaving an organization may contain sensitive
information
 policy should state under what conditions this is acceptable
and refer to information policy on how this information should
be protected (encryption, etc)
 organization may place a disclaimer or signature at the
bottom of outgoing electronic mail to indicate that proprietary
information must be protected
 Testing inbound file attachments for viruses
 policy should point back to the organization’s security policy
for the appropriate anti-virus configuration issues
 Example: Certain bank institutions in Malaysia only
allow their staffs to access the company’s email
account within the physical building location.

66
Backup Policy
 Defines how system backups are to be performed
 should identify how often backups actually occur ->
usually full backups one day per week with incremental
backups taken every other day
 incremental backup only backs up files that have
changed since the last backup -> runs faster and takes
a smaller amount of space
 should also point to the information policy to determine
how long the files must be kept before the tape can be
reused
 store media used for backups in a secure location
67
Incident Response Procedures
 Defines who has the authority, and the objectives
of the organization when handling an incident
 before an incident is declared, procedure for
investigation should be undertaken to determine if the
incident actually occurred
 specify an escalation procedure as more information
about the event is determined, usually activation of an
incident response team
 attempt to control the information about the incident that
is released, so that will not affect customers and should
reflect positively on the organization
 the response an organization makes to an incident is
directly related to the objectives of the IRP

68
Design of Security Architecture
 Defense in depth
 Implementation of security in layers
 Requires that organization establish sufficient
security controls and safeguards so that an
intruder faces multiple layers of controls

Principles of Information Security, Fourth Edition 69

Design of Security Architecture (con
t’d.)
 Firewall: device that selectively discriminates
against information flowing in or out of organization
 DMZs: no-man’s land between inside and outside
networks where some place Web servers
 Proxy servers: performs actions on behalf of another
system
 Intrusion Detection Systems (IDSs): in effort to
detect unauthorized activity within inner network, or
on individual machines, organization may wish to
implement an IDS

Principles of Information Security, Fourth Edition 70

Defense in Depth using Firewalls, Proxy Servers,
and DMZs

Principles of Information Security, Fourth Edition 71

Security Education, Training, and
Awareness Program
 As soon as general security policy exists, policies to
implement security education, training, and
awareness (SETA) program should follow
 SETA is a control measure designed to reduce
accidental security breaches
 Security education and training builds on the
general knowledge the employees must possess to
do their jobs, familiarizing them with the way to do
their jobs securely
 The SETA program consists of: security education;
security training; and security awareness

Principles of Information Security, Fourth Edition 72

Example: Bank Negara Risk
Management in Technology
 https://www.bnm.gov.my/documents/20124/963937/Risk+
Management+in+Technology+%28RMiT%29.pdf/810b088
e-6f4f-aa35-b603-1208ace33619?t=1592866162078

77