IT Security Risks ….

A few incidents
✓ Hillary Clinton e-mail server ; DNC HQ
✓ Erin Brockovich – how she gets access to data
✓ HSBC Switzerland , Panama Papers
✓ Watergate Scandal- Nixon tapes
✓ Bangladesh Bank Robbery – Billion dollars
✓ Aadhaar debate
✓ RG Twitter account

✓ SriKrishna Committee Report – Must Read !!

Where does it all come from – Threat Agents
✓ Hackers
✓ Industrial Espionage
✓ Insiders
✓ Disgruntled ex-employees
✓ People who have grouse against the Company
✓ Sloppy IT work
✓ “Helpful” partners who are unaware they have had a breach
Who does it?
Categories of attackers
Inadvertent Actor 5%

Malicious Insiders 20%

Outsiders 50%

Multiple 25%
Insider’s misuse
How do they happen?
How do they happen?
How come easily preventable threats still materialize?????

✓ More freedom ( devices, software ) vs security

✓ Greater external connect / web-presence vs security
Cybersecurity…. In the current context
✓ It is about Technology and its use – not hardcore tech itself …
“Managerial Perspective”
✓ Bridge between Technologists and Generalist Top Management
✓ Concepts, Standards , Best Practices , Audit , Governance , Compliance
Cybersecurity…. Definition
“The protection afforded to an automated information system in order to
attain the applicable objectives of preserving the integrity, availability and
confidentiality of information system resources (includes hardware,
software, firmware, information/data, and telecommunications)”.
Cybersecurity and Information security

Software code
Configuration settings
IoT signals

Paper
Voice etc.
Cybersecurity and Information security
Cybersecurity - Importance
✓ Privacy and Safety
✓ Financial
✓ IP Rights
✓ Compliance with regulations
✓ Reputation
✓ Competitive performance
✓ Impact on Customers
✓ Product Liability
✓ Impact on Society
Cybersecurity - Regulations
✓ IT Act 2000/amended 2008
✓ RBI – Gopalakrishna Committee Recommendations
✓ US – Health Insurance Portability and Accountability Act (HIPAA)
✓ US - Sarbanes-Oxley Act
✓ GDPR
Cybersecurity – Key Issue
✓ Senior management is NOT technically qualified, nor have the time
✓ But are expected to be accountable to government , customers and the
public on cybersecurity

How do they manage this ?

✓ Cybersecurity Strategy
✓ Cybersecurity Management Framework
Cybersecurity – Strategy
An overall strategy for providing security
✓ Policy (specs): what security schemes are supposed to do
▪ Assets and their values
▪ Potential threats
▪ Ease of use vs security
▪ Cost of security vs cost of failure/recovery
✓ Implementation/mechanism: how to enforce
▪ Prevention
▪ Detection
▪ Response
▪ Recovery
✓ Correctness/assurance: does it really work (validation/review)
Cybersecurity – Frameworks
✓ NIST ( National Institute of Standards and Technology) - US
✓ ISO – International
ISO 27001 & 27002
ISO 27000 is a series of international standards all related to information
security.
The ISO 27001 standard has an organizational focus and details
requirements against which an organization’s ISMS (Information Security
Management System), can be audited.
ISO 27001 is a management system standard and therefore establishes
specific requirements in which it can be certified by a third party accredited
registrar.
If an organization wants to certify its Information Security Management
System (ISMS) it needs to comply with all requirements in ISO 27001.
Why ISO 27001?
✓ Framework that accounts for all legal and regulatory requirements

✓ Gives ability to demonstrate and independently assure the internal

controls of a company

✓ Proves management commitment to the security of business and

customer information

✓ Reduces time and effort when audited by internal compliance reviews

or during external audits
ISO 27001 Standard
✓ Information Security Management System
✓ Management Responsibility
✓ Management Review of ISMS
✓ ISMS Improvement

Annexure –A

11 Domains

39 Control Objectives
133 Controls
ISO 27001 Standard
ISO 27001 - Evolution of the standard
▪ ISO 27000 consists of a range of individual standards and documents
▪ ISO 27001 was published in 2005, replacing BS 7799-2 standard
▪ It enhanced the content of the previous version
▪ Harmonization with other standards
▪ Helps organization to establish and maintain an Information Security
Management System
PDCA

• Implement improvements
ACT
ACT PLAN • Define ISMS scope
• Corrective actions PLAN
Maintain, • Define policy
• Preventative actions Maintain, Establish
Establish • Identify risks
• Communicate with Improve the
Improve
ISMS theISMS
the ISMS • Assess risks
stakeholders
the ISMS • Select control objectives

• Monitor processes DODO

• Regular reviews
CHECK
CHECK
Monitor, • Implement risk treatment
• Internal audits Monitor, Implement,
Implement,
Review plan
Reviewthe Operate
Operatethethe • Deploy controls
theISMS
ISMS ISMS
ISMS
KEY contexts of ISO 27001
Security Policy
Organizational Security

Asset Management

Human Resource Security

Physical and Environmental Security

Communications and Operational Management

Access Control

Information Systems Acquisition Development and Maintenance

Information Security Incident Management

Business Continuity Management

Compliance
Key Context 1 – Security Policy
Control Aspects
Documenting the InfoSec policy
Reviewing the Infosec policy
Key Context 2 – organization of information security
Control Aspects
• Management commitment of • Contact with special interest
InfoSec groups
• InfoSec coordination • Reviewing InfoSec in an
• Allocating InfoSec responsibilities independent manner
• Authorization of information • Identifying risks related to the
processing facilities external parties
• Protecting confidentiality in • Security care in customer
agreements interactions
• Contact with authorities • Approach to handling security in
third-party agreements
Key Context 3 – Asset Management
Control Aspects
▪ Assets inventory
▪ Asset ownership
▪ Using assets in an acceptable manner
▪ Guidelines for classification
▪ Labelling and handling of information
Key Context 4 – security of HR
Control Aspects • Education and training for InfoSec
• Roles and responsibilities awareness
• Screening • Disciplinary process
• Terms and conditions of • Termination of responsibilities
employment • Return of assets
• Responsibilities of management • Removal of access rights
Key Context 5 – physical and environmental security
Control Aspects
▪ Physical security perimeter ▪ Protection of equipment
▪ Control at physical entry points ▪ Supporting utilities
▪ Securing offices, rooms and ▪ Security of cabling, power and
facilities telecommunications cabling data
▪ Protection from external and or supporting information services
environmental threats ▪ Maintenance of equipment off-
▪ Physical protection and guidelines premises
for working ▪ Secure disposal of reuse of
▪ Public access, delivery and loading equipment
area ▪ Removal of property
Key Context 6 – Communications and operations management

Control Aspects
▪ Operating procedure ▪ Monitoring and review of third
documentation party services
▪ Change management ▪ Managing changes to third party
▪ Segregation of duties (SoD) services
▪ Separation of facilities for ▪ Capacity management
development, testing and ▪ System acceptance
operations ▪ Controls against malicious code
▪ Service delivery
Key Context 6 – Communications and operations management

Control Aspects
▪ Controls against mobile code ▪ Policies and procedures for
▪ Information backup information exchange
▪ Network controls ▪ Exchange agreements
▪ Security of network services ▪ Protecting physical media in
transit
▪ Management of removal media
▪ Electronic messaging security
▪ Disposal of media
▪ Information handling procedures
▪ Securing systems documentation
Key Context 6 – Communications and operations management

Control Aspects
▪ Business IS ▪ Fault logging
▪ E-Commerce ▪ Clock synchronization
▪ Online transactions
▪ Publicly available information
▪ Audit logging
▪ System usage monitoring
▪ Protecting information log
▪ Administrator and operator log
Key Context 7 – Access control
Control Aspects
▪ Access control policy ▪ Clear desk and clear screen
▪ Registration of users policy
▪ Managing user privileges ▪ Policy for use of network
services
▪ Managing user passwords
▪ User authentication for external
▪ Review of user access rights connections
▪ Usage of passwords ▪ Network equipment
▪ Unattended user equipment identification
Key Context 7 – Access control
Control Aspects
▪ Control of network connection ▪ Limitation of connection time
▪ Control of network routing ▪ Information access restrictions
▪ System log-on procedure ▪ Isolation of sensitive systems
▪ Identification and authentication ▪ Securing mobile computing and
of users teleworking
▪ System for managing password ▪ Teleworking policy
▪ Use of system facilities
▪ Session of time-out
Key Context 8 – information systems acquisitions development and
maintenance

Control Aspects
▪ Security requirement analysis and ▪ Access control to program source
specification code
▪ Input data validation ▪ Change control procedure
▪ Internal processing controls ▪ Technical review of applications
▪ Maintaining message integrity after OS changes
▪ Output data validation ▪ Restrictions on changes to
software packages
▪ Policy on the use of cryptographic ▪ Protection of information leakage
controls
▪ Key management ▪ Control over outsources software
development
▪ Control of operational software ▪ Control of technical vulnerabilities
▪ Protection of system test data
Key Context 9 – information security incident management

Control Aspects
▪ Reporting InfoSec events
▪ Reporting security weaknesses
▪ Responsibilities and procedures
▪ Learning from InfoSec incidents
▪ Collecting evidence
Key Context 10 – business continuity management
Control Aspects
▪ Integrating InfoSec with BCP
▪ Business continuity and risk awareness
▪ Development and implementation of BCP integrated with InfoSec
▪ BCP framework
▪ Testing, maintaining and re-accessing business continuity plan
Key Context 11 – compliance
Control Aspects
▪ Identification of applicable legislations
▪ Intellectual property rights (IPR)
▪ Protection of organizational records
▪ Data protection and privacy of personal information (PI)
▪ Prevention and misuse of IPF
▪ Regulation of cryptographic controls
▪ Compliance with security policy and standards
▪ Technical compliance checking
▪ Information systems and considerations
▪ Protection of IS and audit tools
STEPS FOR ISO 27001 IMPLEMENTATION
Step 1: Identify objective of the business
• To provide security to data and information thereby increasing the value
of the organization for its stakeholders

Step 2: Obtain management support

• To ensure alignment of organization governance with the information
security goals
• To understand the expectations of the top management and incorporate
it in implementing the ISMS system
STEPS FOR ISO 27001 IMPLEMENTATION
Step 3: Define the scope
• Define the information assets like user-credentials, transaction details
etc. that need to be protected
• Identify the procedures, business units and external vendors that fall
within the scope of ISMS have to be involved
• For a small organization, implementation scope should cover all parts to
ensure risk aware culture
• Also, the out of scope work has to be defined and documented to avoid
any future hassles
STEPS FOR ISO 27001 IMPLEMENTATION
Step 4: Develop a brief ISMS Policy
• To ensure the protection of information assets of the organization from
internal and external threats.
• Confidentiality, integrity and availability of information has to be
maintained
• Information security awareness and training to staff for a risk aware
culture
• Access control policies and hierarchy of responsibility supporting ISMS is
well defined
STEPS FOR ISO 27001 IMPLEMENTATION
Step 5: Define Risk Assessment Methodology & Strategy
• Risk Assessment Matrix
• Failure Mode and Effects Analysis (FEMA)
• Impact x Probability x Detection = Risk Value
• Probability Analysis
Detection Risk
Risk Events Likelihood Impact Difficulty When Value
Hardware & Software Installation Pre & Post
Issues(Pre & Post) 4 5 3 Installation 60
Software - ATM, DBMS, Internet
Banking 3 5 4 Post Installation 60
Information Security 4 5 4 Post Installation 80
Pre & Post
Regulatory Compliance 3 4 4 Installation 48
STEPS FOR ISO 27001 IMPLEMENTATION
Step 6: Risk Treatment plan
▪ Mitigating Risk
▪ Avoiding Risk
▪ Transferring Risk
▪ Retaining Risk
STEPS FOR ISO 27001 IMPLEMENTATION
Step 7: Set up policies and procedures to control risks
▪ Allows the organization to identify roles & responsibilities for effective
implementation
▪ The list of policies and procedures depends on:
▪ Organization’s location
▪ Assets
▪ Overall Structure
STEPS FOR ISO 27001 IMPLEMENTATION
Step 8: Allocation of required resources and conduct training and
awareness programs
▪ Brief the employees and workers about policies and procedures
▪ Train them with the required skills for implementation

Step 9: Carefully monitor the ISMS

▪ Point where the objectives of monitoring, control and measurement
methodologies come together
▪ Check whether the achieved goals are met in accordance with the set
objectives
STEPS FOR ISO 27001 IMPLEMENTATION
Step 10: Prepare for internal audit
▪ Setting up Governance, risk and compliance tool with the controls
questionnaire
▪ Checking compliance and reporting it to the responsible authority for
required actions based on the hierarchical workflow

Step 11: Periodic Management review

▪ Take crucial decision based on the periodic reviews
STEPS FOR ISO 27001 IMPLEMENTATION : Payments bank
Step 1: Identify objective of the business
• Secure transaction, customer data protection

Step 2: Obtain management support

• Involving top management to ensure enterprise governance is aligned
with the information security governance framework
STEPS FOR ISO 27001 IMPLEMENTATION : Payments bank
Step 3: Define the scope
• Information assets will be transaction details, customer details, credit
score details
• Server rooms should be at a secured place
• Gateway provider and customers should come under the scope of the
ISMS

Step 4: Develop a brief ISMS Policy

• Information accessibility should be defined at different levels
• Employees should be given regular training to inculcate a risk aware
culture
STEPS FOR ISO 27001 IMPLEMENTATION : Payments bank
Step 5: Define Risk Assessment Methodology & Strategy

Likelihoo Detection Risk

Risk Events d Impact Difficulty When Value
Hardware & Software Installation Pre & Post
Issues(Pre & Post) 4 5 3 Installation 60
Software - ATM, DBMS, Internet Banking 3 5 4 Post Installation 60
Information Security 4 5 4 Post Installation 80
Pre & Post
Regulatory Compliance 3 4 4 Installation 48
STEPS FOR ISO 27001 IMPLEMENTATION : Payments bank
Step 6: Risk Treatment plan
• Risk contingency plan in case of data breach like suspending of all
accounts temporarily
• Avoiding Risk by validating the login and payments through OTP or call
confirmation

Step 7: Set up policies and procedures to control risks

• Employees accessing the data should be monitored when they are
accessing the data or any out of the routine behavior
• Roles and responsibilities of the employees should be laid out in the
policies
STEPS FOR ISO 27001 IMPLEMENTATION : Payments bank
Step 8: Allocation of required resources and conduct training and
awareness programs
• Make the employees aware of their roles and responsibilities
• Brief the employees about policies and procedures
Step 9: Carefully monitor the ISMS
• Monitor transactions for any suspicious activity
• Customer login should be mapped with MAC address of the device to
monitor suspicious logins
STEPS FOR ISO 27001 IMPLEMENTATION : Payments bank
Step 10: Prepare for internal audit
• Setting up committee for internal audit
• Having a team of ethical hackers to test the vulnerabilities and
compatibility of the system

Step 11: Periodic Management review

• There should be periodic reviews of the system
Benefits of ISO 27001
• International Standards certifying the organisation security practices
enhances the customer assurance
• Security against information security risks an breaches
• Certification acts as a business enabler in IT outsourcing business
meeting the client requirements
• Satisfaction of fiduciary requirements for information security
ISO 27001 - Annexure
1. Security policy (5)
2. Organization of information security (6)
3. Asset management (7) Why do you care???
4. Human resources security (8)
5. Physical and environmental security (9)
6. Communications and operations management (10)
7. Access control (11)
8. Information systems acquisition, development and maintenance (12)
9. Information security incident management (13)
10. Business continuity management (14)
11. Compliance (15)
Numbers in Brackets refer to Section number in ISO Standard
Because this is what the Companies will be audited on ….
you may be doing this job!!
 Security Policy
Security
Compliance
Organization

Business Asset
Continuity
Management
Information Classification
and Control
Security
Management Personnel
System
Development System Security / HR
Security

Physical &
Access Control
Environmental
Communicatio
ns &
Operations
NIST – US President Executive Order
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
What processes and assets Governance ID.GV
Identify
need protection? Risk Assessment ID.RA
Risk Management Strategy ID.RM
Access Control PR.AC
Awareness and Training PR.AT
What safeguards are Data Security PR.DS
Protect Information Protection Processes & Procedures PR.IP
available?
Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
What techniques can
Detect Security Continuous Monitoring DE.CM
identify incidents? Detection Processes DE.DP
Response Planning RS.RP
What techniques can Communications RS.CO
contain impacts of Respond Analysis RS.AN
incidents? Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
What techniques can
Recover Improvements RC.IM
restore capabilities? Communications RC.CO
Cybersecurity – C I A
Confidentiality:
Data confidentiality: Assures that confidential information is not disclosed to
unauthorized individuals
Privacy: Assures that individual control or influence what information may be
collected and stored
Integrity:
Data integrity: assures that information and programs are changed only in a
specified and authorized manner
System integrity: Assures that a system performs its operations in unimpaired
manner
Availability:
Assure that systems works promptly and service is not denied to authorized users
InfoSec – C I A Triad
Other Considerations :
✓ Non-repudiation
✓ Accountability
✓ Auditability
✓ Consistency
✓ Freshness
✓ Usable format
✓ Reliability
Some key terms
CIA Triad
Threat
Vulnerability
Control
Governance
Compliance, Legal Requirements
Audit
Policies, Standards
Incident Management, RCA
Disaster readiness
Organisation for Cybersecurity management
Information Security
Security in Cloud , Mobile and partner systems
Basic Cybersecurity Model
Basic Cybersecurity Model
which are endangered by Threats exploit

Vulnerabili
Assets ties

which protect which results in

Safeguards Exposure

which is mitigated by Risk which is

Cybersecurity Taxonomy / Landscape
NIST
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
What processes and assets Governance ID.GV
Identify
need protection? Risk Assessment ID.RA
Risk Management Strategy ID.RM
Access Control PR.AC
Awareness and Training PR.AT
What safeguards are Data Security PR.DS
Protect Information Protection Processes & Procedures PR.IP
available?
Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
What techniques can
Detect Security Continuous Monitoring DE.CM
identify incidents? Detection Processes DE.DP
Response Planning RS.RP
What techniques can Communications RS.CO
contain impacts of Respond Analysis RS.AN
incidents? Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
What techniques can
Recover Improvements RC.IM
restore capabilities? Communications RC.CO
IT Asset Management

ITAM is so often seen

as a “once and done”.
Need to consider the
whole lifecycle
Asset Management
▪ Establish an inventory
▪ Leverage automation
▪ Draw from multiple sources of information
▪ Cover both publicly available and private internal resources
▪ Tie the inventory into the acquisition process
▪ Understand authorized vs unauthorized
▪ Ownership and Accountability
IT Asset Classification: Hardware, Software, data , Communication ,
Licenses
Criticality – V.High, High, Medium, Low
Transition issues : “retired / archived” assets
Other Cybersecurity considerations
▪ Manage and monitor configurations.
▪ Maintain master images and store them securely.
▪ Understand and prioritize potential vulnerabilities – learn from others.
▪ Monitor use as it aligns with data classification / protection rules.
▪ Any external facing system (including email) has real threats.
▪ Ensure protection commensurate with risk.
▪ Limit access to sensitive / critical assets.
▪ Consider product life – often, outdated = unsafe.
▪ Be mindful of wireless risks.
▪ Secure application development – including outsourced development and
importantly, reused/shared software code.
▪ Monitoring, Testing and other exercises are critical.
NIST
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
What processes and assets Governance ID.GV
Identify
need protection? Risk Assessment ID.RA
Risk Management Strategy ID.RM
Access Control PR.AC
Awareness and Training PR.AT
What safeguards are Data Security PR.DS
Protect Information Protection Processes & Procedures PR.IP
available?
Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
What techniques can
Detect Security Continuous Monitoring DE.CM
identify incidents? Detection Processes DE.DP
Response Planning RS.RP
What techniques can Communications RS.CO
contain impacts of Respond Analysis RS.AN
incidents? Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
What techniques can
Recover Improvements RC.IM
restore capabilities? Communications RC.CO
Access Control
▪ Authentication:
▪ Authentication is a process by which you verify that someone is who they claim they are.
▪ Mechanism: Username/Password, RFID Card, PIN etc.
▪ Authorization:
▪ Authorization is the process of establishing if the user (who is already authenticated), is permitted
to have access to a resource. Authorization determines what a user is allowed and not allowed to
do.
▪ Mechanism: Role based access, System Admin.
▪ Access Control:
▪ Access Control is the process of enforcing the required security for a particular resource.
▪ Mechanism: Ensure access only to what is allowed, (also monitor what the person tried to
access!!), activity log.
NIST
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
What processes and assets Governance ID.GV
Identify
need protection? Risk Assessment ID.RA
Risk Management Strategy ID.RM
Access Control PR.AC
Weakest Link in
Awareness and Training PR.AT the Corporate
What safeguards are Data Security PR.DS Security System
Protect Information Protection Processes & Procedures PR.IP
available?
Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
What techniques can
Detect Security Continuous Monitoring DE.CM
identify incidents? Detection Processes DE.DP
Response Planning RS.RP
What techniques can Communications RS.CO
contain impacts of Respond Analysis RS.AN
incidents? Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
What techniques can
Recover Improvements RC.IM
restore capabilities? Communications RC.CO
Awareness Training
✓ Password usage and management – including creation, frequency of changes, and
protection
✓ Protection from viruses, worms, Trojan horses, and other malicious code – scanning,
updating definitions
✓ Policy – implications of noncompliance
✓ Unknown e-mail attachments
✓ Web usage – allowed versus prohibited; monitoring of user activity
✓ backup and storage – centralized or decentralized approach
✓ Social engineering
✓ Incident response – contact whom? “What do I do?”
✓ Shoulder Surfing
✓ Changes in system environment – increases in risks to systems and data (e.g., water, fire,
dust or dirt , physical access)
Awareness Training
✓ Inventory and property transfer – identify responsible organization and user responsibilities (e.g.,
media sanitization)
✓ Personal Use , Work from Home
✓ Handheld device security issues – address both physical and wireless security issues
✓ Use of encryption and the transmission of sensitive/confidential information over the Internet –
address agency policy, procedures, and technical contact for assistance
✓ Laptop security while on travel – address both physical and information security issues
✓ Personally owned systems and software at work – state whether allowed or not (e.g., copyrights)
✓ Timely application of system patches – part of configuration management
✓ Software license restriction issues – address when copies are allowed and not allowed
✓ Supported/allowed software on organization systems – part of configuration management
✓ Access control issues – address least privilege and separation of duties
✓ Individual accountability – explain what this means in the organization
✓ Use of acknowledgement statements – passwords, access to systems and data, personal use and gain
NIST
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
What processes and assets Governance ID.GV
Identify
need protection? Risk Assessment ID.RA
Risk Management Strategy ID.RM
Access Control PR.AC
Awareness and Training PR.AT
What safeguards are Data Security PR.DS
Protect Information Protection Processes & Procedures PR.IP
available?
Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
What techniques can
Detect Security Continuous Monitoring DE.CM
identify incidents? Detection Processes DE.DP
Response Planning RS.RP
What techniques can Communications RS.CO
contain impacts of Respond Analysis RS.AN
incidents? Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
What techniques can
Recover Improvements RC.IM
restore capabilities? Communications RC.CO
Data Security
Data-at-rest protection; “Access control”
data-in-transit protection; “Cryptography”
formal asset management & disposal;
capacity & availability management;
protection against data leaks; “Data Leak Prevention”
integrity checking; “Non Repudiation / Digital Signatures”
separation of development and test from production
NIST
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
What processes and assets Governance ID.GV
Identify
need protection? Risk Assessment ID.RA
Risk Management Strategy ID.RM
Access Control PR.AC
Awareness and Training PR.AT
What safeguards are Data Security PR.DS
Protect Information Protection Processes & Procedures PR.IP
available?
Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
What techniques can
Detect Security Continuous Monitoring DE.CM
identify incidents? Detection Processes DE.DP
Response Planning RS.RP
What techniques can Communications RS.CO
contain impacts of Respond Analysis RS.AN
incidents? Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
What techniques can
Recover Improvements RC.IM
restore capabilities? Communications RC.CO
Protective Technology
PR.PT 1: Audit/ log records are determined,
documented, implemented and reviewed in
accordance with policy

PR.PT 2: Removable media is protected and its use

Protective Technology (PR.PT) restricted according to policy.
Technical security solutions are managed
PR. PT 3: The principle of least functionality is
to ensure the security and resilience of
incorporated by configuring systems to provide
systems and assets, consistent with only essential capabilities
related policies, procedures and
agreements PR.PT 4: Communications and control networks are
protected.

PR.PT 5: Mechanisms (e.g. failsafe, load balancing,

hot swap) are implemented to achieve resilience
requirements in normal and adverse situations.
Protective Technology
Log collection and analytics;
Removable media usage controls; “End-point Security”
Access to systems and assets is controlled (incorporating the principle of
least functionality);
Communications and control networks are protected ….“Firewalls”
Cryptography
“The principles, means and methods of disguising information to ensure its
integrity, confidentiality and authenticity”

- Encryption concepts
- Digital signatures
- Crpytanalytic attacks
- Public Key Infrastructure (PKI)
- Information hiding alternatives
Attack Surfaces
• Attack surface: the reachable and exploitable vulnerabilities in a system
– Open ports
– Services outside a firewall
– An employee with access to sensitive info
– …
• Three categories
– Network attack surface (i.e., network vulnerability)
– Software attack surface (i.e., software vulnerabilities)
– Human attack surface (e.g., social engineering)
• Attack analysis: assessing the scale and severity of threats
Security Design Principles
✓ Economy of mechanism: The design of security measures should be as
simple as possible
✓ Simpler to implement and to verify
✓ Fewer vulnerabilities
✓ Fail-safe default: Access decisions should be based on permissions; i.e.,
the default is lack of access
✓ Complete mediation: Every access should checked against an access
control system
✓ Open design: The design should be open rather than secret (e.g.,
encryption algorithms)
Security Design Principles
✓ Isolation
✓ Public access should be isolated from critical resources (no
connection between public and critical information)
✓ Users files should be isolated from one another (except when
desired)
✓ Security mechanism should be isolated (i.e., preventing access to
those mechanisms)
✓ Encapsulation: Similar to object concepts (hide internal structures)
✓ Modularity: Modular structure
✓ Separation of privilege: Multiple privileges should be needed to do
achieve access (or complete a task)
Security Design Principles
✓ Least privilege: Every user (process) should have the least privilege to
perform a task
✓ Least common mechanism: A design should minimize the function
shared by different users (providing mutual security; reduce deadlock)
✓ Psychological acceptability: Security mechanisms should not interfere
unduly with the work of users
✓ Layering (defense in depth): Use of multiple, overlapping protection
approaches
✓ Least astonishment: A program or interface should always respond in a
way that is least likely to astonish a user
Cyber Security – Essential practices
10 Most Important Risks and Mitigation
Overreliance on security monitoring software:
Mitigation strategy: Understand and use a diverse portfolio of monitoring tools.
Inadequate system logging:
Mitigation strategy: Consider third-party software that allows you to refine the logging process
and alert your personnel to significant incidents and events. Combined with a well-managed
SEIM tool (see caveat above), strong logging practices can help diversify your system defences.
Technology innovations that outpace security:
Mitigation strategy: Follow a “non-first adopter” policy and allow the software to prove itself
for six months to a year before using the product. For organizations that develop software, we
encourage you to keep a specific focus on security from the start of the development process.
Outdated operating systems:
Mitigation strategy: Track and plan for these major system changes to prevent systems from
running unsupported software.
10 Most Important Risks and Mitigation
Lack of encryption:
Mitigation strategy: Use third-party software tools to aid with encryption. These tools can scan
outbound emails for sensitive data and require the sender to use a secure file load site or to
encrypt the data before transmission. Laptop hard drives should have hard-drive encryption that
only unlocks the data after a user successfully logs into the device.
Data on user-owned mobile device
Mitigation strategy: Third-party applications allow for each user to have a “sandbox” of data (a
secured segment of your organization’s information accessible to your mobile device), including
email and files stored in a secure directory on your organization’s system.
IT “diplomatic immunity” within your organization :
Mitigation strategy: Complete user reviews of accounts and settings at least twice per year by
Independent auditors.
10 Most Important Risks and Mitigation
Lack of management support:
Mitigation strategy: Educate and encourage members of management who understand the need to
protect systems and are able to communicate that need throughout the organization.
Challenges recruiting and retaining qualified IT staff:
Mitigation strategy: Focus on capabilities, training, and retention to reduce turnover and develop a strong
IT security team.
Segregation of duties:
Mitigation strategy: Security should belong to a dedicated role, such as a Security Analyst or Chief
Information Security Officer