Enterprise Cyber Security Fundamentals

Presented by Matt Constable

Module 1
Enterprise Cyber Security Short Course
Based on subject :
ITI581: IT Security Fundamentals

Part of the :
Master of Networking and Systems Administration
Master of Management (IT)
Overview
• Introduction & Security Basics
• Course welcome & introduction.
• Goals of Information Security
• Security Principles & Terminology
• Security Roles
• Security Policies
• Security Awareness
Introductions
Matt Constable
• 20+ years in the IT industry
• 14+ years Networking/Security/Wireless/VoIP
• Government, Education, Financial Services, Service Provider, Retail –
Enterprise & Integration.
• B.Comp, M. Computer Security, various industry certs.
• I don’t have all the answers.
• Everyone brings something to the table!
Class Times
Webinars will run:

• Wednesday 19:30 AEDT (+11:00)

• Will be uploaded within 24 hours.
• Youtube
• Zoom Link
• PDF copy of slides
• Numerous other resources available throughout the course as applicable.
Contact
• Easiest way is via course forums.
• Everyone can share in the Q & A.
Learning Resources
• Various resources on IT Masters Short Course System
• Weekly tasks
• Quizzes
• Range of individual and forum activities to help you learn; Please engage!
Study Tips
• Test yourself instead of re-reading notes – “retrieval practice”.
• Test yourself repeatedly – until it kills you!
• Talk out loud to yourself or a friend.
• Distinctiveness – How what you are is learning different, or the same, to
something else – “compare & contrast”
• Apply to your own experience!
• BEWARE OF FAMILIARITY
• Just because you are “familiar” with something…or have seen it before doesn’t mean
you really *know* it…so practice, practice, practice.
• Read & study extensively!
Week 1 – Security Basics
• Goals of Information Security
• Security Principles & Terminology
• Security Roles
• Security Policies
• Security Awareness
Security Basics
Understanding Network Security
• Network security
• Mechanisms by which networked information assets are protected
• Primary Goals
• Protect confidentiality
• Maintain integrity
• Assure availability
 CIA/DAD Triad
• Confidentiality - Disclosure
• Integrity - Alteration
• Availability - Denial
Understanding Network Security
• Security should ensure that users:

• Perform only tasks they are authorised to do

• Obtain only information they are authorised to have
• Cannot cause damage to data, applications, or operating environment
• Data exchanges are conducted in a secure and safe manner
Network Security Threats
 What Causes Threats
• Technology weaknesses

• Configuration weaknesses

• Policy weaknesses

• Human error
 Technology Weaknesses
• Some examples…..
• TCP/IP
• Open Protocol - developed to survive not to be secure
• Many applications and services

• Operating systems
• Millions of lines of codes – bugs, exploits
• Inherently insecure

• Network equipment
• Installation – relies on defaults (rarely changed)
• Often inflexible in ability to secure or upgrade easily
 Configuration Weaknesses
• Some examples…
• Unsecured accounts
• System accounts with easily guessed passwords
• Misconfigured Internet services
• Unsecured default settings
• Misconfigured network equipment
• Trojan horse programs
• Vandals
• Viruses
 Recent Example

• F-35 fighter story (12th Oct 2017)

 Policy Weaknesses
• Some examples…
• Lack of a written security policy
• Politics
• High turnover
• Concise access controls not applied
• Software and hardware installation and changes do not follow policy
• Nonexistent disaster recovery plan
 Human Error
• Some examples…
• Accident
• Ignorance
• Workload
• Dishonesty
• Impersonation – Social Engineering
• Disgruntled employees
 Creating a Secure Network Strategy
• Address both internal and external threats

• Define policies and procedures

• Reduce risk across “perimeter” security

 Creating a Secure Network Strategy
• Human factors
• Know your weaknesses
• Limit access
• Achieve security through persistence
• Develop change management process
• Remember physical security
• “Perimeter” security
• This is fluid now!
Authentication Models
• Single and multi-factor authentication
• One-factor authentication
• Use of single credential
• Two-factor authentication
• 2 different credentials
• Three-factor authentication
• 3 different credentials
• Very secure
 Authentication Factors
• Something you know • Multifactor stronger
• Password / Passphrase / PIN • 2 & 3 factor common
• Something you have
• Token / swipe card • Biometrics strongest
• Something you are
• Biometrics
• Somewhere you are
• GPS / IP Subnet / VLAN
• Something you do
• Habitual behaviour
SSO Authentication
• Single sign-on
• Identity management
• Using a single authenticated ID to be shared across multiple networks
• Federated identity management (FIM)
• Used when networks are owned by different organizations
• Single Sign On (SSO)
• Windows Live ID
• When the user wants to log into a Web site that supports Windows Live ID the user will first be redirected
to the nearest authentication server
• Once authenticated, the user is given an encrypted time-limited “global” cookie
Access Control Methodologies
Access Control Methodologies
• Access control
• The process by which resources or services are granted or denied on a
computer system or network

• 4 ACMs we will discuss

Access Control Terminology
• Identification
• A user accessing a computer system would present credentials or
identification, such as a username
• Authentication
• Checking the user’s credentials to be sure that they are authentic and not
fabricated
• Authorization
• Granting permission to take the action
Access Control Terminology
• Computer access control can be accomplished in one of three ways:
hardware, software, or policy
• Access control can take different forms depending on what is being
protected
• Other terminology is used to describe how computer systems impose
access control:
• Object
• Subject
• Operation
Access Control Models
• Access control model
• A predefined framework for hardware and software developers who need to
implement access control in their devices or applications
• Once an access control model is applied
• Custodians configure security based on parameters set by the owner
• Enables end users to do their jobs
Access Control Models
• Mandatory Access Control (MAC)
• End user cannot implement, modify, or transfer any controls
• The owner and custodian are responsible for managing access controls
• Most restrictive model as all controls are fixed
• In the original MAC model, all objects and subjects were assigned a numeric
access level
• The access level of the subject had to be higher than that of the object in
order for access to be granted
Access Control Models
• Discretionary Access Control (DAC)
• The least restrictive
• A user has total control over any objects that they own
• Along with the programs that are associated with those objects
• In the DAC model, a subject can also change the permissions for other
subjects over objects
Access Control Model
• DAC has two significant weaknesses

1. Relies on the end-user to set the proper security parameters

2. A subject’s permissions will be “inherited” by any programs that the subject
executes
Access Control Models
• Role Based Access Control (RBAC)
• Sometimes called Non-Discretionary Access Control
• Considered a more “real world” approach than the other models
• Assigns permissions to particular roles in the organization, and then assigns
users to that role
• Objects are set to be a certain type, to which subjects with that particular role
have access
Access Control Models
• Rule Based Access Control (RBAC)
• Also called the Rule-Based Role-Based Access Control (RB-RBAC) model
• Dynamically assign roles to subjects based on a set of rules defined by
custodian
• Each resource object contains a set of access properties based on the rules
• Rule Based Access Control is often used for managing user access to one or
more systems (SSO)
Access Control Models Summary

Name Restrictions Description

Mandatory Access End user cannot set Most restrictive
Control (MAC) security
Discretionary Access Owner has total control Least restrictive
Control (DAC) over objects
Role Based Access Permissions assigned to Real world approach
Control (RBAC) roles, users assigned to
roles
Rule Based Access Roles assigned Assigns access across
Control (RBAC) dynamically based on multiple systems
security parameters
Access Controls Strategies
• Separation of duties
• If the fraudulent application of a process potentially results in a breach of
security the process should be divided between multiple individuals
• Job rotation
• Instead of one person having sole responsibility for a function, individuals are
periodically moved from one job responsibility to another
Access Controls Strategies
• Least privilege
• Each user should be given only the minimal amount of privileges necessary to
perform their job
• Implicit deny
• If a condition is not explicitly met, then it is to be rejected
Awareness
• Social Engineering
• Clever manipulation of the human tendency to trust others
Awareness
• Many different ways to build awareness
• Should be part of all induction programs
• But is not normally
Awareness Roles
Minimum Security Awareness
Security Awareness Program
• Identify compliance or audit standards that your organization must adhere to
• Identify security awareness requirements for those standards
• Identify organizational goals, risks, and security policy
• Identify stakeholders and get their support
• Create a baseline of the organization’s security awareness
• Create project charter to establish scope for the security awareness training program
• Create steering committee to assist in planning, executing and maintaining the awareness program
• Identify who you will be targeting
• different roles may require different/additional training
• employees, IT personnel, developers, senior leadership
• Identify what you will communicate to the different groups
• goal is shortest training possible that has the greatest impact
• Identify how you will communicate the content
• three categories of training
• new, annual, and ongoing
Security Awareness Program
• Get the tools/resources you need to get it operating
• How are you going to evaluate its success?
• Who do you communicate with/engage?
• Implement multiple training options to cover different learning styles
• Track employee progress
Security Awareness Program
• Review program at least annually
• Identify new/changing threats
• Evaluate implementation
• Ask for employee feedback
• Keep management engaged and on side
Next Week
• Attacks & Threats
• Network Attacks
• Password Attacks
• Application Attacks
• Human Attacks
• Identification of Threats
Questions?