Networking basics

1
Networking

• Computer network A collection of computing devices that are

connected in various ways in order to communicate and share
resources
Usually, the connections between computers in a network are made
using physical wires or cables
However, some connections are wireless, using radio waves or infrared
signals

2
Networking

• The generic term node or host refers to any device on a network

• Data transfer rate The speed with which data is moved from one
place on a network to another
• Data transfer rate is a key issue in computer networks

3
 Networking
• Computer networks have opened up an entire frontier in the world of
computing called the client/server model

Figure 15.1 Client/Server interaction 4

Networking

• File server A computer that stores and manages files for multiple
users on a network
• Web server A computer dedicated to responding to requests (from
the browser client) for web pages

5
Types of Networks

• Local-area network (LAN) A network that connects a relatively

small number of machines in a relatively close geographical area

6
Types of Networks

• Various configurations, called topologies, have

been used to administer LANs
• Ring topology A configuration that connects all nodes
in a closed loop on which messages travel in one
direction
• Star topology A configuration that centers around one
node to which all others are connected and through
which all messages are sent
• Bus topology All nodes are connected to a single
communication line that carries messages in both
directions

7
 Types of Networks

Figure 15.2 Various network topologies

• A bus technology called Ethernet has become the industry

standard for local-area networks
15-10
8
Types of Networks

• Wide-area network (WAN) A network that

connects two or more local-area networks over a
potentially large geographic distance
Often one particular node on a LAN is set up to serve as a
gateway to handle all communication going between
that LAN and other networks
Communication between networks is called
internetworking
The Internet, as we know it today, is essentially the
ultimate wide-area network, spanning the entire globe

9
Types of Networks

• Metropolitan-area network (MAN) The communication

infrastructures that have been developed in and around large cities

10
So, who owns the Internet?

Well, nobody does. No single person or company owns the Internet

or even controls it entirely. As a wide-area network, it is made up of
many smaller networks. These smaller networks are often owned
and managed by a person or organization. The Internet, then, is
really defined by how connections can be made between these
networks.

11
 Types of Networks

Figure 15.1 Local-area networks connected across a distance to

create a wide-area network 12
Internet Connections

• Internet backbone A set of high-speed networks that carry Internet

traffic
These networks are provided by companies such as AT&T, GTE, and
IBM
• Internet service provider (ISP) A company that provides other
companies or individuals with access to the Internet

13
Internet Connections

• There are various technologies available that you can use to

connect a home computer to the Internet
• A phone modem converts computer data into an analog audio
signal for transfer over a telephone line, and then a modem at the
destination converts it back again into data
• A digital subscriber line (DSL) uses regular copper phone lines to
transfer digital data to and from the phone company’s central
office
• A cable modem uses the same line that your cable TV signals
come in on to transfer the data back and forth

14
Internet Connections

• Broadband A connection in which transfer speeds

are faster than 128 bits per second
• DSL connections and cable modems are broadband
connections
• The speed for downloads (getting data from the Internet
to your home computer) may not be the same as uploads
(sending data from your home computer to the Internet)

15
 Packet Switching
• To improve the efficiency of transferring information over a
shared communication line, messages are divided into fixed-
sized, numbered packets
• Network devices called routers are used to direct packets
between networks

Figure 15.4
Messages
sent by
packet
switching

15-18
16
Open Systems

• Proprietary system A system that uses

technologies kept private by a particular
commercial vendor
One system couldn’t communicate with another, leading to
the need for
• Interoperability The ability of software and
hardware on multiple machines and from multiple
commercial vendors to communicate
Leading to
• Open systems Systems based on a common
model of network architecture and a suite of
protocols used in its implementation
17
 Open Systems
• The International
Organization for
Standardization (ISO)
established the Open
Systems Interconnection
(OSI) Reference Model
• Each layer deals with a
particular aspect of
network communication
Figure 15.5 The layers of the OSI Reference Model

18
 Network Protocols
• Network protocols are layered such that each one relies on the
protocols that underlie it
• Sometimes referred to as a protocol stack

Figure 15.6 Layering of key network protocols

19
TCP/IP

• TCP stands for Transmission Control Protocol

TCP software breaks messages into packets, hands them off to the IP
software for delivery, and then orders and reassembles the packets at their
destination
• IP stands for Internet Protocol
IP software deals with the routing of packets through the maze of
interconnected networks to their final destination

20
TCP/IP (cont.)

• UDP stands for User Datagram Protocol

• It is an alternative to TCP
• The main difference is that TCP is highly reliable, at the cost of decreased
performance, while UDP is less reliable, but generally faster

21
High-Level Protocols

• Other protocols build on the foundation established by the TCP/IP

protocol suite
• Simple Mail Transfer Protocol (SMTP)
• File Transfer Protocol (FTP)
• Telnet
• Hyper Text Transfer Protocol (http)

22
MIME Types

• Related to the idea of network protocols and standardization is the

concept of a file’s MIME type
• MIME stands for Multipurpose Internet Mail Extension
• Based on a document’s MIME type, an application program can decide how
to deal with the data it is given

23
MIME Types

Figure 15.7
Some protocols
and the ports
they use

24
Firewalls

• Firewall A machine and its software that serve as a special gateway

to a network, protecting it from inappropriate access
• Filters the network traffic that comes in, checking the validity of the
messages as much as possible and perhaps denying some messages
altogether
• Enforces an organization’s access control policy

25
 Firewalls

Figure 15.8 A firewall protecting a LAN 26

Network Addresses

• Hostname A unique identification that specifies a particular

computer on the Internet
For example
matisse.csc.villanova.edu
condor.develocorp.com

27
Network Addresses

• Network software translates a hostname into its corresponding IP

address
For example
205.39.145.18

28
Network Addresses

• An IP address can be split into

• network address, which specifies a specific network
• host number, which specifies a particular machine in
that network

Figure 15.9
An IP address is
stored in four
bytes

29
Domain Name System

• A hostname consists of the computer name

followed by the domain name
• csc.villanova.edu is the domain name
• A domain name is separated into two or more sections
that specify the organization, and possibly a subset of an
organization, of which the computer is a part
• Two organizations can have a computer named the same
thing because the domain name makes it clear which one
is being referred to

30
 Domain Name System

• The very last section of the domain is called its top-

level domain (TLD) name

Figure 15.10 Top-level domains, including some relatively new ones 31

Domain Name System

• Organizations based in countries other than the

United States use a top-level domain that
corresponds to their two-letter country codes

Figure 15.11
Some of the top-level domain
names based on country codes

32
Domain Name System

• The domain name system (DNS) is chiefly used to translate

hostnames into numeric IP addresses
• DNS is an example of a distributed database
• If that server can resolve the hostname, it does so
• If not, that server asks another domain name server

33
History of cybersecurity
Chapter 2

34
History

• Use of cryptography to secure information dates back many

thousands of years. This presentation examines the historical
significance of cryptography and its use in the present day.

35
2.1 Pre World War
• The earliest recording of encryption use occurred in ancient Egypt 4000 years ago where
hieroglyphic inscriptions on the tombs of noblemen were written with a number of
unusual symbols to obscure the meaning of the inscriptions.
• In 5 BC, the Spartans developed a cryptographic device called a Scytale, which was a
cylinder in the possession of both the sender and receiver around which a message could
be wound to perform a transposition of the letters.
• In 50 BC, Julius Caesar used a substitution cipher to send secret messages where each
letter was replaced by a different letter a certain distance ahead or behind the actual
letter in the alphabet.
• With evolving mathematical techniques, cryptography made great advance in the late 15th
century. One of these advances was the poly-alphabetic cipher, developed by Italian Leon
Battista Alberti in 1467, which uses multiple substitution alphabets.
• The most well known polyalphabetic cipher is the Vigenère Square, created by Frenchman Blaise
de Vigenère. It was long thought to be unbreakable, but was found to be vulnerable to statistical
attack in the 19th century.

• Although the roots of cryptography can be traced back thousands of years, cryptography
36
did not garner much attention until World War I.
Vigenere cipher

37
2.2 World War I

• Early in World War I, many of Germany’s telegraphy lines in France and Belgium, as well as across the Atlantic
were severed. This forced Germany to rely on wireless communication or Swedish and American lines routed
through Britain.

• In addition, wireless communications were often the only way to effectively communicate with vessels at sea
and armies on the move. This gave Britain and her allies many opportunities to intercept German
communications and affect the course of the war. However, the Germans were aware of the high likelihood of
interception and encrypted their communications.

• The British Admiralty’s Intelligence Service formed a cryptanalysis organization known as Room 40 for their
location in the Old Admiralty Building. Because of weaknesses in the algorithms and material aides such as the
discovery of cipher and codebooks, the Room 40 group was successful in decrypting many troop movement
and diplomatic messages.

• The most notable decrypted message by Room 40 is known as the Zimmerman telegram. In January of 1917,
British code-breakers William Montgomery and Nigel de Gray were given an encrypted telegram sent over
Swedish lines and intercepted in Britain. Room 40 already knew the cipher and was able to decrypt enough of it
to quickly realize its significance. The message was sent by the German foreign minister to Mexico declaring a
start to unrestricted submarine warfare. 38
2.2 World War I

• The message also urged Mexico to invade the US and to encourage Japan to do the same. The message
ultimately prompted President Woodrow Wilson to declare war on Germany in April of 1917.

• There were other uses of encryption going on during the war as well. With the known vulnerabilities of simple
ciphers, armies used so called “Trench Codes” to facilitate secrete internal communications. In order to use
codes, it was necessary to have codebooks to translate the meanings of the code words. Losing a codebook
would render the current code useless.

• When this happened, it was possible to issue new codebooks to maintain security, but this was difficult in
practice.

• In 1918, the Germans developed a new cipher that they believed was unbreakable. The cipher was a fractioning
transposition cipher called ADFGX, named for the labels of the rows and columns of the checkerboard used in
constructing a message. The cipher proved to be very difficult to break. Frenchman Georges Painvin was able
to decrypt some messages to gain knowledge of German activity, but the breaks were mostly a result of
messages being sent with the same keys. A general solution to decrypting messages was never found during
the war. 39
2.3 World War II

• Though cryptography played an important role in World War I, it played a much larger role in World War II as

technologies evolved and the stakes increased.

• Between the World Wars, Germany developed the Enigma machine, an encryption device thought to be unbreakable in

the 1920s. Enigma was a portable machine consisting of a keyboard, a number of rotary dials and a display. Encrypting

messages involved setting the rotors, entering the messages via the keyboard and observing the display. Decryption was

similar in that the rotors were set and the encrypted message was entered on the keyboard. A number of different

versions of Enigma machines were developed, including commercial versions.

• Early in World War II, Britain started a secret project codenamed Ultra to decrypt radio traffic and Enigma messages.

Ultimately, Ultra was successful in breaking Enigma encoded messages and led to significant military victories that

shortened the course of the war. Ultra’s efforts were aided by several factors. In 1932 Polish cryptanalysts made

fundamental breakthroughs, aided by copies of Enigma manuals sold by a disgruntled soldier, and were able to decipher

“day keys” allowing decryption of a single day’s message traffic. This information made its way to Britain in 1939 and

because of weaknesses in the system, such as never outputting the input character and the fact that many messages

contained common greeting phrases, Ultra was able read nearly all of German Enigma traffic by 1945. 40
2.3 World War II

• American efforts to decrypt Japanese message traffic also played a significant

role in World War II. In 1943, the US intercepted Japanese messages sent using a
cipher called JN-25. The code was found to be a subset of a US Army code used
in the Spanish-American war of 1898.
• However, the Japanese did not know the code was susceptible to attack. The US
Army Air Corps used intercepted messages to help in the assignation of
Japanese Admiral Yamamoto Isoroku as he traveled for a tour of the South
Pacific.
• The JN-25 code was not Japan’s only cryptography system in use during World
War II. Also of note was the Purple machine, which was an excellent form of
encryption for the time, but the Japanese operators misused the device.
Operational errors such as poor key choices exposed weaknesses in the scheme
and led to US Signals Intelligence breaking the code. Access to these encrypted
messages gave the Americans an advantage over the Japanese and many
speculate that this knowledge shortened the war.

41
Enigma code

42
2.4 Cold War

• Starting in the 1940s and continuing through the Cold War, the US
and Britain collaborated to break Soviet encrypted messages.
Codenamed the Venona project, out of hundreds of thousands of
messages, thousands were able to be decrypted. The Soviets were
using unbreakable one time pads, but reuse of the pads led to
vulnerabilities in their system. The decryptions were a product of
espionage and also the error of reusing pads. The majority of
messages were KGB communications and were used to gain
information about Soviet behavior.
• The existence and in some cases, identification of US, Canadian,
British, and Australian spies was discovered. The existence and the
significance of the Venona project was not made public until 1995.

43
The Verona project

• https://youtu.be/00mqI0OS9VU

44
2.5 Current Times

• Up until the last 40 years, it was believed that cryptography would be more secure if the
algorithms were kept secret. As history showed, keeping a cipher secret could not guarantee
complete information security, and there was a shift toward publicly known standards with only
secret keys. In 1976, DES encryption was adopted as the Federal Information Processing
Standard (FIPS) for use by all non-military government agencies and government contractors.
• Although DES now has shortcomings as noted in the previous section, its standardization
sparked much research and advancement of the cryptography field. The interest in the subject
became more of a public concern, rather than solely a military one. Also in the late 1970’s, public
key cryptography, where both the sender and receiver had their own private keys and shared a
known public key, was developed as an alternative to the private key cryptography that was
used
• in the past. The most notable public key encryption scheme is called RSA. Also, there is currently
a great deal of work towards advancing encryption techniques. A new topic is quantum
cryptography, where it is possible to securely pass keys because the keys cannot be intercepted
without being changed. It is clear that the great need for cryptography in today’s society will
continue to drive the field forward.
• Unfortunately, a few current applications show that encryption is still not being used correctly.
In the open source community, encryption and security are often overlooked or not
implemented correctly. The main problem is that with so many contributors to the code, it is
inevitable that someone who knows little or nothing about security will submit code. For
example, many open source programs use SSL improperly, leaving them open to various types
of attacks. Many programmers think that SSL APIs provide authentication by default, but they
do not and thus their applications are vulnerable.

45
2.5 Current Times

• Another example of incorrect uses of cryptography is Diebold’s DRE voting machine. First
of all, the DRE machine uses smartcards, but fails to use any of the smartcard’s
cryptographic operations. Therefore, no secure authentication takes place, allowing a
person to bring in a preprogrammed smartcard to perform an attack on the machine.
Also, the machine uses DES encryption, which is know to be vulnerable to brute force
attacks even though triple-DES and AES are known to be more secure. Unfortunately, the
machine not only uses DES, it misuses it.
• The key value is hard coded into the source code, which obviously compromises its
effectiveness. Also, DES depends on a random initialization vector to ensure security, but
the vector is always initialized to zero in the Diebold machine’s code. These errors show
that although encryption techniques have improved, the use of outdated algorithms and
misuse of encryption techniques are still common.
• Today, a large number of products pass data over the Internet or have other reasons for
needing encryption. Uses of encryption are clearly visible in everyday applications. ATMs
are now mandated to use Triple DES encryption. RSA has become highly used to encrypt
data sent over the Internet and is used in web browsers like Netscape Navigator and
Microsoft Internet Explorer.
• E-mail uses an encryption called PGP (Pretty Good Policy) to provide cryptographic
privacy and authentication.

46
2.5 Current Times

• With information transfer becoming a critical aspect of modern

society, encryption has become necessary in more than just military
applications. As encryption continues to affect more people in their
everyday lives, it is important to learn from the misuses of
encryption in the past and move forward emphasizing correct usage
of secure algorithms.

47
DES Encryption

48
AES Encryption

49
Cybercrime escalation

50
Introduction to Cyber Crime
• Cyber crime and terrorism has escalated during
recent years
• It is well-organized
• It is advanced technically
• It is well-financed
• It has adopted a new view
• The old view: quick entry and exit
• The new view: hidden long term presence
• The best attack is undetected, and undetectable

51
Why the Increase In Cyber Intelligence

• Recent open source network compromises disclosure,

becoming more common, used as a nation enabler
• Easier to steal digits, than to integrate a spy
• Larger ROI in stealing R&D, vice actually doing it. (Past
events have shown that .EDU has been used as a
gateway to .GOV)

52
Why the Increase In Cyber Intelligence

•Economic motivation
•Globalization empowerment
•Continuous national interest into US
directions and intentions
•If you can’t out shoot them out spend them.
(costly to recover form breaches)

53
Incident Trends
Events per Day Investigated Events per Day Findings per Day Confirmed Incidents per Day

1000000 3.5

100000 3
2.5
10000
2
1000
1.5
100
1
10
0.5
1 0
2002 2003 2004 2005 2006 2007 2002 2003 2004 2005 2006 2007

Typical Civil Agency Cyber Levels of Interest / Activities

54
Previous Defense Strategy
 Blocked known attack patterns
 Blocked known infiltration methods
 Used best tools available in 1998
Intel
Collection
Nation-State
Actions
Cyber
Terrorists
Parasitic Awareness is key
Hackers

Malicious Friendly Forces

Code

55
 OWASP Top 10 Security Vulnerabilities
• 1 - Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first
validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites,
possibly introduce worms, etc.
• 2 - Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to
an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing
data.
• 3 - Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating
attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files
from users.
• 4 - Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object,
such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects
without authorization.
• 5 - Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web
application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web
application that it attacks.
• 6 - Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal
workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious
attacks.
• 7 - Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers
compromise passwords, keys, or authentication tokens to assume other users' identities.
• 8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use
weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
• 9 - Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
• 10 - Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to
unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

56
OWASP Top 1: Cross Site Scripting
• What is Cross Site Scripting?
• In it’s simplest form, it’s a process that can occur anywhere a web application uses
input from a malicious user to generate output without validating or encoding the
input.
• During a Cross Site Scripting attack, a malicious source sends a script that is
executed by the end user’s browser. It allows attackers to embed code from one
webpage into another webpage by changing its HTML code.
• It’s been used to deface web sites, conduct phishing attacks, or it can take over a
user’s browser and force them to execute commands they’re unaware of.
• Cross Site Scripting attacks usually come in the form of JavaScript however, any
active content poses a potential danger.
• Prevention
• Validate the users input against what is expected
• Encode user supplied output
• After you believe you’ve done the right things during code development, inspect
your code with a scan.

57
OWASP Top 2: Injection Flaws (SQL Injection)
• What is SQL Injection
• SQL injection is the actual injection of SQL commands into web
applications through user input fields.
• When an application uses internal SQL commands and you also
have user input capabilities (like a login screen), SQL commands
can be injected that can create, read, update, or delete any data
available to the application.
• Prevention
• You can put tight constraints on user inputs. But the best method of
preventing SQL injection is to avoid the use of dynamically
generated SQL in your code. Instead use stored or canned
procedures.
• And then again, run a scan to make sure your application is not
vulnerable to SQL injections.

58
OWASP Top 3: Malicious File Execution
• What is Malicious File Execution
• When Developers program applications to use input files provided by the
user and the bad guy is the one entering the file, a malicious file is executed
unknowingly, thus we have malicious file execution.
• Malicious file execution attacks can occur anytime the application accepts
filenames or files from a users.
• When these files are executed, they can be used to do just about anything
from stealing data to taking over the entire system.

• Prevention
• Strongly validate user input using "accept known good" as a strategy, or
isolate incoming files and check them legitimacy before executing them.
• Disable certain PHP commands: I suggest that you visit the OWASP
website to see what commands to disable.

59
OWASP Vulnerabilities: A Common Thread

From looking at OWASP vulnerabilities it appears

that there is a common theme. Applications with
Dynamic code or user inputs have the most
vulnerabilities – and that seems to be the current
trend in application development.

So if you’re building applications of that nature,

make sure you test them carefully.

60
SANS Top 20 Security Vulnerabilities

• Information goes here

• 2nd level info
• 2nd level cont’d
• Information goes here
• Information goes here

61
National Vulnerability Database

62
National Vulnerability Database

In the near future, information warfare will

control the form and future of war... Our sights
must not be fixed on the fire-power of the
industrial age; rather, they must be trained on the
information warfare of the information age.

63
National Vulnerability Database

In the near future, information warfare will

control the form and future of war... Our sights
must not be fixed on the fire-power of the
industrial age; rather, they must be trained on the
information warfare of the information age.

64
Other Vulnerabilities
•Code Mistakes
•Untrained Users
•Insecure Configuration Settings

65
Code Mistakes
•Federal Student Aid has had Code Mistakes
• Implement Prevention in Code
• Thoroughly Test
• Use Tools

66
Untrained Users
• Security ignorance compromises data
• Provide the training
• Rules of Behavior
• Annual refresher training

67
Insecure Configuration Settings
•NIST, DISA, CIS vs. Business Needs
•Builds
•System Upgrades
•Vulnerability Scans

• Note: Federal Student Aid Secure Configuration Guides are based off the NIST
checklist located at http://checklists.nist.gov

68
 Items of Special Interest
•Keyloggers & WSNPOEM
• What are these threats and why are they of
Special Interest to Federal Student Aid and
learning institutions?
• What can be done to mitigate these threats?

69
Item of Special Interest: Keyloggers

•What’s a Keylogger and how does it exploit a

Web Application?
• Downloaded unknowingly
• Resident on Personal Computers
• Captures User Activity
• Usually part of a malicious Network or BOTNET
• Education notified of compromises by US-CERT

70
Keylogger Mitigations
• Train users
• Implement effective Anti-Spyware, Anti-Virus
• Keep patches and versions current
• Firewall
• Automatic form filler programs
• Cut and paste
• One-time passwords
• Smartcards
• Virtual keyboards

71
Virtual Keyboard
A virtual keyboard is provided on Federal Student Aid’s Enterprise Security login page and does not
require end users to acquire additional software.

72
 How Much Security is Enough?
•We implement security based on Cost vs. Risk
 Threat * Vulnerability = Risk
 Cost of Implementing Controls – Cost of not Implementing Controls = Cost

73
 Crystal Ball: In the Year 2025

PAST, PRESENT
Cyber security is a young and immature field
The attackers are more innovative than defenders
Defenders are mired in FUD (fear, uncertainty and doubt)
and fairy tales
Attack back is illegal or classified

FUTURE
Cyber security will become a scientific discipline
Cyber security will be application and technology centric
Cyber security will never be “solved” but will be “managed”
Attack back will be a integral part of cyber security
© Ravi Sandhu 74
World-Leading Research with Real-World Impact!
74
Who are the Threat Actors

 World Trade /  Information Hacktivisists

Globalisation Activists
 General Attacker Threats
 Environmental Groups
 Illegal Information Brokers
 Regional Political and Freelance Agents
Activism
 Trusted 3rd Parties
 Non-State Sponsored
Terrorism  Corporate Intelligence

 Organised Crime  Investigation Companies

 Nation States /  Competitors, Contractors,

Governments Corporations

 Insider Threats  Untrained Personnel

75
 What are the cyber risks

• Theft of sensitive and

valuable information
• Manipulation of mission
critical data
• Disruption to operations
• Impact to successful
execution of mission priorities

76
 Assessing the risk
• Understand your assets
• Sensors
• Communications
• Network environment
• Data Storage
• Analytics
• Understand the threats
• Which threat actors are targeting
you and why
• Know their capabilities
• Understand your
vulnerabilities
• People, process, and technology

77
 Assessing the risk
• Identify standards to
measure yourself against
• Leverage guidance from
your country and others
• International
Organisation for
Standardisation
• US National Institute of
Standards and
Technology
• Industry specific
documentation

78
 Assessing the risk
• What to assess?
• Risk Management
• Asset, Change, and Configuration
Management
• Identity and Access Management
• Threat and Vulnerability Management
• Situational Awareness
• Information Sharing and
Communication
• Event and Incident Response, COOP
• Supply Chain and External
Dependencies
• Workforce Management
• Cybersecurity Program Management

NIST’s model of security information and decision flows within an organization (Source: NIST Preliminary-Cybersecurity Framework, Page 9)

79
 Mitigating the risk

At the most basic level it is having true visibility across your own environment
Knowing what is on your network…
Visibility Knowing how your network is configured…
Knowing who is on your network…

Intelligence At an intermediate level it is understanding external influences and their

relevance to your environment

At an advanced level it is the integration of all this information to allow

Integration
continuous monitoring and rapid decision making

80
Mitigating the risk
- Increase your visibility

• Deploy technology to provide

visibility across all assets
• Remote locations
• Non-IP based systems
• Mobile and wireless
• Understand your critical assets,
technology, and data
• Correlate and analyse data to
detect anomalous and suspicious
events
• Conduct continuous monitoring
and rapid remediation/mitigation
activities

81
Mitigating the risk
- Increase your intelligence

• Develop a threat intelligence

programme
• Obtain threat intelligence feeds
• Develop partnerships with
government information sharing
programmes
• Develop partnerships with
industry peers to share threat
intelligence
• Interface with all stakeholders to
understand critical components

82
Mitigating the risk
- Facilitate better integration

• Understand the technical landscape within the organisation and

influence the roadmap with a focus on better integration and
security
• Attend user conferences to learn about best practices from other
organisations with similar environments
• Develop a secure reference architecture that is flexible and
adaptable
• Understand the Application Program Interfaces (APIs) of the
technologies in use and how to leverage them for security
orchestration and automated remediation
• Develop an integration lab to test secure configurations and
integrations prior to deployment

83