Network Security and Management (IT624)

For MSc. IT Students

Chapter 1

Building a Secure Organization

Course Inst: Kibreab Adane (PhD. Scholar) 1

 Building a Secure Organization

 Security?
 Information Security?
 Cybersecurity?
 Network Security?
 Enterprise Security
 Risk Management
 Security threats &
Counter Measures
2
 What is Security?
• Definitions:
– “The quality or state of being safe or free from danger”
_Information security is a “well-informed sense of assurance that the information
risks and controls are in balance.”
• Successful companies should have multiple security “tiers”:
– Physical security( E.g. CCTV cameras, motion sensors,
intruder alarms and smart alerting
technology like AI analytics, etc.)
– Personal security(E.g. Username · Passwords · Bank account
information · Credit card information · SSN)
– Operations security (E.g. Info. Classification · Info. Sec. Awareness Training ·
Encryption · Conversation Policies, secure Location, legal,

reputation, etc)
– Communications security( E.g. end-to end security)
– Network security
3
– Information security
4
 Balancing Information Security and Access

• Impossible to obtain perfect security: it’s a

process, not an absolute
• Security should be considered balance between
protection and availability
• To achieve balance, level of security must allow
reasonable access, yet protect against threats

5
 Security vs. Access

Security
• CIO: Two-factor
authentication is necessary to
protect private data
• Auditor: We need to comply
with laws/regulations
Access
• Student 1: I forgot my
authentication device
• Student 2: It’s a hassle

6
 What is Information Security?

• Protection of information and its critical elements, including

systems that use, store, and transmit that info.
• Focus is protecting both “print” and electronic information or data.
• Necessary tools:
– Policy
– Awareness
– Training
– Education
– Technology

7
 Critical Characteristics of Information

• The value of information comes from its characteristics:

– Confidentiality: self-explanatory
– Integrity: (Bitwise) identical to the original
– Availability: of info, services, etc.
– Authenticity: “it is what it claims to be”
– Accuracy: free from mistakes and errors
– Utility: self-explanatory
– Possession: different from confidentiality
• Others:
– Auditability: there’s a record of who accessed what
– Non-repudiation: one cannot claim “I didn’t sign this”
8
 What is Cybersecurity ?

• Is a practice of protecting the data in digital form or internet

connected systems: mobile devices, tablets, computers, work
stations, servers, networks, from malicious actors.
• It pertains solely to protecting digital or electronic information
or data.
• It is a subset of Information Security.
• Protection of Attacks aimed at:
 Accessing, changing, or destroying sensitive information;
 Extorting money from users; or
 Interrupting normal business processes.
Examples of cybersecurity threats: phishing, ransomware,
insider threats 9
Cyber
attack
proced
ures

10
 What is Network Security?

• It is the subset of cyber security designed to protect the integrity of

any network and data that is being sent through devices in that
network.
• Focus is protecting data at transit or data flows between devices.
• It protects the organization’s IT infrastructure i.e. software and
hardware technologies from all kind of online threats.
• It protects files and directories in the network of computers against
misuse, hacking and unauthorized access.
• Firewalls, passwords, backup, encryption, Anti-virus software,
Intrusion detection and prevention systems (IDS/IPS), Virtual
private networks (VPN) come under network security.

11
 What is Enterprise Security?
• ES is about building systems to remain reliable in the face of malice, error, or
mischance.
• It involves the various technologies, tactics, and processes used to protect
digital assets against unauthorized use, abuse, or infiltration by threat actors.
• ES requires cross-disciplinary expertise, ranging from cryptography and
computer security through hardware tamper-resistance and formal methods to a
knowledge of economics, applied psychology, organizations and the law.
• ES is focused on data center, networking, and web server operations in
practice, but technically begins with human resources.
• Their failure may endanger human life and the environment (as with nuclear
safety and control systems).

12
 Enterprise Security Analysis Framework

Good Enterprise security requires four things to come together.

There’s policy: what you’re supposed to achieve.
There’s mechanism: the ciphers, access controls, hardware tamper-resistance and
other machinery that you assemble in order to implement the policy.
There’s assurance: the amount of reliance you can place on each particular
mechanism.
Finally, there’s incentive: the motive that the people guarding and maintaining the
system have to do their job properly, and also the motive that the attackers have to try
to defeat your policy. 13
14
15
16
How to ensure legitimate users are permitted access?
• By establishing AAA Models:
 Authentication— Who are you? I.e. identifying users identify.
- what you know? What you have? What you are?
 Authorization— What resources are you permitted to use?
- It is method of enforcing policies
 Accounting— What resources were accessed, at what time, by whom, and
what commands were issued?
- Measuring usage of system resources by user: Login time, Data Sent, Data
Received, and Logout Time.

17
18
19
 Main Motives of Attackers:

• Disrupting a business’ continuity

• Information theft and manipulating data
• Creating chaos and fear by disrupting critical infrastructure
• Financial loss to the target
• Stealing Military secrets
• Demanding ransom by blocking website, email, computer
files.
• Damaging the reputation of target
• Propagating religious or political beliefs

20
 Risk Management
• Risk: Probability that “something bad” happens times
expected damage to the organization
• Risk management: process of identifying and
controlling risks facing an organization
– Risk identification: process of examining
an org.’s current IT security situation
– Risk control: applying controls to reduce
risks to org.’s data and information systems

21
 Overview: Risk Management
“If you know the enemy and know yourself, you need not
fear the result of a hundred battles. If you know yourself
but not the enemy, for every victory gained you will also
suffer a defeat. If you know neither the enemy nor
yourself, you will succumb in every battle.” – Sun Tzu,The
Art of War
This entails:
– Knowing yourself: identifying and understanding existing
information, systems in organization
– Knowing the enemy: identifying and understanding threats
facing org.
22
 Risk Identification
• Assets: Anything that “has value” to organization
– Includes people, data, computers, …
– Attackers will target these (for various reasons)
• Risk management: identifying org.’s assets and
threats to them (including vulnerabilities)
• Risk identification: need to specify org.’s assets, assessing
their value

23
 Identifying and Valuing Assets

• “It’s all about the bookkeeping”:

– People: Who works for the organization?
– Procedures: How do employees access data?
– Data: What data does the org. store and process?
– Hardware: What computer hardware does org use?
– Software, networks: Same questions
• Assets are then classified and categorized
– Business-critical? Moderate? Irrevelevant?
– Database systems can help keep track of “stuff”
(e.g., using inventory barcodes)
24
 Identification: People, Procedures, and Data

• Harder to track people, documentation, data than physical

hardware, software licenses
• People with experience should do so
• Record assets via reliable data storage system
Questions:
• What information should we record for:
– People?
– Business processes?
– Data?
• What tools could we use to do so?
• How should a company manage the process of identifying
25
 Hardware, Software, and Network Asset
Identification
• What information attributes to track depends on:
§ Needs of organization/risk management efforts
§ Management needs of information security/information
technology communities
§ Asset attributes to be considered are: name; IP address;
MAC address; element type; serial number;
manufacturer name; model/part number; software
version; physical or logical location; controlling entity

26
 Information Classification

• Many organizations have data classification schemes (e.g.,

confidential, internal, public)
• Info. classification approach: specific categories
– Requirements:
Each category has specific meaning
Categories must “span the gamut” of info.
sensitivity levels
Categories must not overlap
– Need to determine info. protection priorities
– Table metaphor: category columns, info. rows

27
 Information Valuation

• Info. has varying levels of importance

• What information:
– is most critical to organization’s success?
– generates the most revenue/profitability?
– would be most expensive to replace or protect?
– would be the most embarrassing or cause greatest liability
if revealed?

28
 Data Classification and Management

• Military classification:
– Top Secret
– Secret
– Classified/Internal use only
– Public
• Elaborate schemes: overkill for some orgs?

29
 Threat Identification

• Security budgets limited; we can only focus on practical

threats
• Threat assessment:
_ Which threats present danger to assets?
_Which threats are the most dangerous to info.?
_How much would it cost to recover from attack?
_ Which threat requires the most money to prevent?

30
 Sec. Threat Category
Acts of human error or failure
Intellectual property compromise
Deliberate espionage or trespass
Deliberate information extortion
Deliberate sabotage or vandalism
Deliberate theft
Deliberate software attacks
Forces of nature
Deviations in service from providers
Technological hardware failure
Technological software failures
Technological obsolescence
Examples
Accidents, employee mistakes
Piracy, copyright infringement
Unauthorized access, data collection
Blackmail of info. disclosure
Destruction of systems or info.
Illegally taking equipment or info.
Viruses, worms, denial of service
Fires, floods, earthquakes
Power and Internet provider issues
Equipment failure
Bugs, code problems, unknown
loopholes
Antiquated or outdated technologies
31
 Vulnerability Identification

• Vulnerability: specific approach threat agents exploit to attack

valuable information
• Questions to ask:
– How could a threat be carried out?
– What are the organization’s assets?
– What are the org.’s vulnerabilities?
• Recommendation: assemble people from diverse
backgrounds in org., brainstorming meeting rounds
• Result of this process: list of assets, their vulnerabilities

32
 Risk Control

• Once ranked risk worksheet complete, choose

• one of four strategies to control each risk:
– Apply safeguards (Avoidance)
– Transfer the risk (Transference)
– Reduce impact (Mitigation)
– Understand consequences and accept risk
(Acceptance)
• Residual risk: risk “left over” after identification and
control

33
 Avoidance

§ Attempts to prevent vulnerability exploitation

§ Preferred approach; techniques include:
– Removing vulnerabilities
– Limiting access to assets
– Applying safeguards
§ Three common methods of risk avoidance:
- Impose policy
-Educate people
-Apply technology

34
 Transference

• Shift risk to other assets, processes, or companies

• If lacking, organization should hire expert individuals, firms
regarding security management
• Org. then transfers risk associated with IT mgmt. to another
org. experienced in dealing with risks
Residual risk: What happens if this org. hacked?

35
 Mitigation
• Attempts to reduce impact of vulnerability exploitation
via planning, preparation
• Approach includes three types of plans:
– Incident Response Plan (IRP): What actions to take if there’s
an incident in progress?
– Disaster Recovery Plan (DRP): Most common procedure
– Business Continuity Plan (BCP): What to do if catastrophe
strikes the organization?

36
 Acceptance
• Doing nothing to protect a vulnerability, accepting outcome of its
exploitation
• Valid only when some function, service, information, or asset
does not justify protection cost
• Risk appetite: degree to which organization will accept risk as
trade-off vs. cost of controls

37
 Selecting a Risk Control Strategy

• Level of threat and value of asset play major

role in selection of strategy
• Rules of thumb that we can apply:
– A vulnerability exists
– Attackers can exploit a vulnerability
– Attacker’s cost is less than potential gain
– Substantial potential loss to organization

38
Risk Handling Decision Points

39
Risk Control Cycle

40
 Vulnerability, Threat, & Attack
• Vulnerability: Weakness or fault that can lead to an exposure.
• Threat: Generic term for objects, people who pose potential danger to
assets (via attacks)
_Management must be informed of the different threats
facing the organization
_By examining each threat category, management
effectively protects information through policy,education,
training, and technology controls
• Attacks: Act or action that exploits vulnerability (i.e.,an identified
weakness) in controlled system
_Accomplished by threat agent which damages or steals
organization’s information

41
 Assignment
1) Select one research title, rigorously review five recent research articles published in
Scopus or Web of Science indexed journals. Identify research problems, research
materials and methods used, core research findings, research contributions, and
further research works.
i) Network Intrusion detection in Software Define Network using Machine Learning
and Deep learning.
ii) DDOS attack detection using Machine Learning and Deep learning.
iii) Ransomware attack detection using Machine Learning and Deep learning.
iv) Cross-site scripting(XSS) attack detection using Machine Learning and Deep
learning.
v) Comparative study on recent technologies for securing organizations networks.
vi) Best strategies for securing the organizations email and websites.
vii) Unified Framework for Mitigating Intentional Insider threats
viii) Developing strategies to improve energy use efficiency in IoT devices
ix) The impact of 5G technology on the development of smart city solutions.
x) The causes, consequences, and treatments of ransomware.

42
Thank You for your
Attention!

43