Professional Documents
Culture Documents
0
Security
Architecture
Final
September 2019
Table of Contents
7.1.2. Identification and analysis of active devices, associated ports and services ....... 79
Table 21. Illustrative SLAs for service providers for security implementation services .................. 85
Figure 2. Heat map showing geographical commitment towards cyber security around the world23
AV Anti-Virus
DB Database
HR Human Resources
IT Information Technology
LD Liquidated Damages
N/W Network
OS Operating System
VM Virtual Machine
1. Equifax Personal data of 145 million consumers Over 300 million USD of breach
breached expenses in the first year and
300 million USD expected in
Data includes SSN, personal data, second year
documents, driving licenses, passwords
Offered lifetime free service to
Data of residents of multiple countries customers to control data,
(US, UK, Canada) costing anywhere from 55 million
USD to 100 million USD
Share price dropped early next
day by 13%
Multiple contracts worth millions
of USD suspended
Multiple lawsuits costing millions
of USD from individual and
organisations perspective
3. Yahoo In 2016, Yahoo disclosed two separate A decline in the acquisition price
breaches involving approximately 1 of the company of 350 million
billion and 500 million users in 2013 USD
and 2014, respectively.
Direct cost to the expenses
In 2017, Yahoo reportedly increased its caused due to breaches
estimate of the number of users
affected to 3 billion (all of its users at 43 consumer class action
the time of the breach). lawsuits
4. Anthem Data of 78.8 million customers leaked Lawsuits costing over 115 million
USD
Various types of personal information,
including names, birthdays, health care Attorney fee in over 31 million
identification/social security numbers, USD
street addresses, email addresses,
phone numbers and employment 16 million USD paid to health
information, including income data department as part of penalties
12 million USD on initial forensic
investigation
Free credit monitoring and
identity protection services to
those affected (reportedly for two
years)
Ongoing investigations by
various state and federal
regulators
5. Target Massive data breach at Target Cost to Target over 200 million
corporation where 40 million credit card USD
numbers and Personally Identifiable
Information (PII) of 70 million customers 90+ lawsuits filed
compromised Profits fell by 50% and share
Data sold in underground market at a price fell by 11% in the fiscal
price of $20 – $45 / card when it was reported
The CIO (Chief Information
Officer) of Target resigned
Overhaul of security at Target
Lawsuits against security auditor
and contractor
6. Saudi Saudi Aramco, one of the largest 75% of the company systems
Aramco company in the world with largest SAP affected
implementation was hit by a
7. Iran Stuxnet reportedly ruined almost one Ruined almost one fifth of Iran's
fifth of Iran's nuclear centrifuges. nuclear centrifuges
It also targeted industrial control
systems, over 200,000 computers and
caused 1,000 machines to physically
degrade
The worm malfunctioned the
centrifuges by varying its frequency.
The stress caused due to this destroyed
the machines
8. TCS TCS was fined for Intellectual Property TCS was fined 940 million USD
breach for allegedly stealing healthcare in 2014 for IPR infringement
software from an American company,
Epic Systems. TCS paid 440 million USD to
Epic Systems as part of penalty
9. Marriott Marriott suffered a massive data breach Breach came under GDPR and
affecting the records of up to 383 million fines included up to 4$ of global
customer records, 25 million passport turnover
numbers, and 8 million payment cards
details Shares subsequently fallen by
5.6%
Potential 1 billion USD in
regulatory fines and litigation
costs
As per the Global Cybersecurity Index 2018 by ITU, Nepal is one of the countries that have just started to
initiate commitments in cyber security, and has a long way to go further.
Figure 2. Heat map showing geographical commitment towards cyber security around the world
Countries that have developed complex commitments and engage in cyber security
programmes and initiatives
Countries that have started to initiate commitments in cyber security – Includes Nepal
Source: itu.int/en/ITU-D/Cybersecurity/Pages/national-CIRT.aspx
The various components of the security architecture are explained in detailed in further sections.
2. Define and document A written security policy for the organization should be in place, and
applicable regulatory there should be regular notification and education established for
and security policy employees. International standards ISO/IEC 27001 and ISO 27002 are
requirements good to start the formation of a security policy, and can be used to
assess the security readiness of an organization.
3. Define the required Security considerations can conflict with functional considerations and
security capability a security advocate is required to ensure that all issues are addressed
and conflicts of interest do not prevent explicit consideration of difficult
issues.
Executive policy decisions should be established at this point about
what security policies can be negotiable and which policies should be
enforced.
4. Implement security The approach to security tools may be based on usage of standard
architecture tools office productivity applications, or may be based on a customized
deployment of specialist security architecture tools and techniques.
3. Determine and Any existing disaster recovery and business continuity plans should be
document applicable understood and their relationship with the planned system defined and
disaster recovery or documented.
business continuity
plans/ requirements
4. Identify and All architecture decisions should be made within the context of the
document the environments within which the system will be placed and operated.
anticipated physical/
business/ regulatory Physical environments that should be documented may include
environment(s) in commercial environments, outdoor environments, mobile
which the system(s) environments, etc. of the organization.
will be deployed In a similar fashion, the business environment should be defined.
Potential business environments may include different assumptions
regarding users and interfaces, and those users or interfaces may
carry the onus of regulatory environments in which the system should
operate.
1. Determine who are Development of the business scenarios and subsequent high-level
the legitimate actors use-cases of the project concerned will bring to attention the people
who will interact with actors and system actors involved.
the organizational
products/ services/ It should also be borne in mind that users may not be humans;
processes software applications may be legitimate users. Those tending to
administrative needs, such as backup operators, should also be
identified, as should users outside boundaries of trust, such as
Internet-based customers.
2. Assess and baseline The business process regarding how actors are vetted as proper users
the current security- of the system should be documented.
specific business
processes Consideration should also be made for actors from outside the
(enhancement of organization who are proper users of the system.
existing objective)
4. Identify and Every system should rely upon existing systems beyond the control of
document the project. These systems possess advantages and disadvantages,
interconnecting risks and benefits. Examples include the Domain Name System (DNS)
systems beyond that resolves computer and service names to Internet addresses, or
project control paper currency issued by the local treasury. The address returned by
the host or service DNS may not always be trustworthy; paper currency
may not always be genuine, and recourse will vary in efficacy between
jurisdictions. These interfaces should be understood and documented.
5. Determine the assets Assets are not always tangible and are not always easy to quantify.
at high risk if Examples: loss of life, loss of market value, loss of customer trust.
6. Determine the cost Assets most challenging to quantify can be the most valuable and
(both qualitative and should not be neglected. Examples: organizational reputation
quantitative) of asset
loss/ impact in failure
cases
7. Identify and Assets may be owned by outside entities, or by inside entities. Inside
document the entities may be owned by individuals or by organizations.
ownership of assets
9. Identify the criticality The risks associated with loss of availability should be identified.
of the availability and Examples: power failure, human error, natural disasters
correct operation of
the overall service
10 . Determine and A quantitative risk analysis (an understanding of the value of assets at
document how much risk and the likelihood of potential threats) provides an important
security (cost) is guideline for security investments in mitigation strategies for the
justified by the identified threats. It is understood that an asset worth amount “$”
threats and the value should not be protected with security measures worth “2$”.
of the assets at risk
3. Determine and The absence of any official classification does not necessarily absolve
document the the onus on maintaining the confidentiality of data. Consideration
sensitivity or should be made to determine and document the sensitivity and
classification level of classification of information within the organization.
information stored/
created/ used
4. Identify and All assets of value are kept and maintained on behalf of the owner. The
document custody of specific persons or organizations charged with this responsibility
assets should be identified.
5. Identify the criticality Presumably, in the event of system failure or loss of functionality, some
of the availability and value is lost to stakeholders. The cost of this opportunity loss should be
correct operation of quantified, if possible, and documented.
each function
7. Identify what aspects Systems should evolve to accommodate change. Systems architected
of the system should for ready reconfiguration will better reflect that change and result in
be configurable to lower cost over the life of the system.
reflect changes in
policy/ business Security is enhanced when security-related changes can be
environment/ access implemented inexpensively and are, hence, not sidelined.
control
8. Identify lifespan of Information maintained beyond its useful lifespan represents wasted
information used as resources and, potentially, business decisions based upon suboptimal
defined by business data. Regulation, however, sometimes mandates the timetable for
needs and regulatory maintenance of information as archival data. In this regard, lifespan of
requirements information stored should be identified and documented.
9. Identify actions/ Logging will help reconstruct chains of events, facilitate root cause
events that warrant analysis, and, potentially, establish evidence for civil or criminal action.
logging for later
review or triggering Logs should be regularly reviewed to identify malicious attacks on a
forensic processes system.
2. Identify methods to As resources are reaching their end-of-life period, functionality may be
regulate consumption impaired or may fail altogether. Steps that may identify such resources
of resources and recognize resource depletion period, can enhance the overall
reliability and availability of the systems.
2. Engineer mitigation Having determined the risks amenable to mitigation and evaluated the
measures addressing appropriate investment in that mitigation as it relates to the assets at
identified risks risk, those mitigation measures should be designed, implemented,
deployed, and/or operated.
3. Evaluate tested and Since design, code, and configuration errors are the roots of many
re-usable security security vulnerabilities, taking advantage of any problem solutions
software and security already engineered, reviewed, tested, and field-proven will reduce
system resources security exposure and enhance reliability.
4. Identify new code/ Populate the Architecture Repository with new security building blocks.
resources/ assets
that are appropriate
for re-use
2. Implement assurance During the operational phases, mechanisms are utilized to monitor the
methods by which the performance of many aspects of the system. Its security and availability
efficacy of security are no exception.
measures will be
measured and
communicated on an
ongoing basis
3. Identify correct Security of any system depends not on design and implementation
secure installation alone, but also upon installation and operational state. These
parameters, initial conditions should be defined and monitored not just at deployment, but
conditions, and also throughout operation.
configurations
4. Implement disaster Plans for business continuity and disaster recovery of operations
recovery and should be implemented at this stage.
business continuity
plans or modifications
2. Implement methods While planning and specification is necessary for all aspects of a
and procedures to successful enterprise, they are insufficient in the absence of testing
review evidence and audit to ensure adherence to that planning and specification in
produced by the both deployment and operation. Among the methods to be exercised
system that reflects are:
operational stability
and adherence to o Review system configurations with security impact which can
security policies be modified to ensure configuration changes have not
compromised security design
o Audit the design, deployment, and operations against security
policies and business objectives
o Run test cases against systems to ensure the security systems
have been implemented as designed
o Run business continuity and disaster recovery tests
2. Incorporate security- Changes that arise as a result of a security problem or new security
relevant changes to technology will feed into the Requirements Management process.
the environment into
the requirements for
future enhancement
36 Nepal GEA 2.0 Security Architecture | Organizational Context and Security Objectives
4. Organizational Context and
Security Objectives
4.1. Organization Structure
Governance in Nepal has moved from centralised to federated structure having multiple advantages such as
division of powers between center and states, people being more interested in local and regional affairs, better
political organization, etc.
In consideration of governance changes from GEA 1.0 to GEA 2.0, the following governance structure for
organization of information security in Nepal has been established.
37 Nepal GEA 2.0 Security Architecture | Organizational Context and Security Objectives
4.2. Roles and Responsibilities
The roles and responsibilities as per the updated federated governance structure of GEA 2.0 for center,
provinces, and local bodies are given in the following sections.
38 Nepal GEA 2.0 Security Architecture | Organizational Context and Security Objectives
Managing the development and implementation of the information security policy and its procedures to
ensure on-going maintenance of information security.
39 Nepal GEA 2.0 Security Architecture | Organizational Context and Security Objectives
Verifying and validating that non-disclosure agreements are signed by users and third parties including
contractors and vendors.
Organizing and conducting information security training to relevant users across departments.
Carrying out risk assessment on an on-going basis and update management.
Ensuring adequate physical security to protect organizational assets across primary and secondary data
centre sites and all functions.
Enforcing effective implementation of physical security for primary and secondary data centre sites.
Responding to queries related to physical security process and procedures.
Reviewing physical access rights periodically and taking corrective actions as required.
Responding to escalated security incidents and tracking repeated incidents for taking preventive actions.
Liaison management with external agencies such as law, cyber-crime authorities to meet statutory and
legal requirements.
Identifying and introducing new processes to reduce security vulnerabilities.
Reporting to management on security violations and exceptions.
40 Nepal GEA 2.0 Security Architecture | Organizational Context and Security Objectives
S.No. Role / Domain Responsibilities
41 Nepal GEA 2.0 Security Architecture | Organizational Context and Security Objectives
Be primarily responsible for risk, data security and access of third party partners and vendors to whom line
of business has been outsourced.
Review the self-assessment of third parties at defined frequency to whom line of business has been
outsourced.
Conduct security assessments and audits of third party processes/ sites.
Define information security requirements for third parties in concurrence with the information security team
of the organization.
42 Nepal GEA 2.0 Security Architecture | Organizational Context and Security Objectives
Provide agreement on security classification of infrastructure components.
Maintain applicable security tools and applications.
Monitor secure status on each system and network within its control.
Have primary ownership to comply with specific security policies, which shall be applicable for systems
development and acquisition.
Report on security weaknesses and breaches to the management.
Drive endpoint and server security.
HR department should ensure that:
o Employees and contractors understand their responsibilities, and are suitable for the roles they are
considered for, and to reduce the risk of theft, fraud or misuse of facilities.
o Relevant employees of the organization and contractors receive appropriate awareness training
and regular updates in organizational policies and procedures, as relevant for their job function.
Legal department should:
o Assist in negotiation of insurance coverage and/or contracts transferring risk, where available.
o Look into legal effectiveness of policy and legal contractual documents within objective, which they
should abide by all legal obligations.
o Engage with cyber security police officials, lawyers, and government agencies as required.
IT Department should:
o Govern and provide the operating parameters for individuals' and operating units for the use of the
IT systems, networks, architecture, etc.
o Maintain IT security and data assurance in the organization.
Respective heads of all aforementioned departments should provide leadership to the agreed security program
by driving the same to the teams under their management and mandate compliance. All functional team heads
should designate a suitable and qualified team member who should report the incidents and effectiveness of
security control to CISO/ ISM/ information security team/ CIO.
43 Nepal GEA 2.0 Security Architecture | Organizational Context and Security Objectives
5. Leadership Commitment
and Support for Security
44 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
5. Leadership Commitment and
Support for Security
5.1. Leadership Commitment
It is important that the top management of an organization is involved in the decision-making and demonstrates
leadership commitment with respect to the security policy and architecture. This can be done by:
Ensuring the information security policy and the information security objectives are established and are
compatible with the strategic direction of the organization;
Ensuring the integration of the security policy and architecture requirements into the organization's
processes;
Ensuring that the resources needed for the security architecture and policy are available;
Communicating the importance of effective information security management and of conforming to the
information security management system requirements;
Ensuring that the security policy and architecture achieve their intended outcome(s);
Directing and supporting persons to contribute to the effectiveness of the security policy and architecture;
Promoting continual improvement;
Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of
responsibility.
To ensure an appropriate level of support of organizational missions and the proper implementation of current
and future information security requirements, each organization should establish a formal information security
governance structure. In this regard, an illustrative information security governance structure has been included
as part of section – “organization structure” of this security architecture.
Information security governance can be defined as the process of establishing and maintaining a framework
and supporting management structure and processes to provide assurance that information security strategies
are aligned with and support business objectives, are consistent with applicable laws and regulations through
adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage
risk.
An effective security governance structure provides a multitude of benefits to the organizational management:
Top management visibility: Provides top management with clear visibility and a strategic agenda on
cyber security matters
Investment prioritization: Helps prioritize resource investment to reduce cyber-related risks to an
acceptable level
Activities steering: Creates levers and enables top management to steer cyber security efforts and
coordinate them across all stakeholders
45 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
Stronger ownership: Establishes clear ownership of domains and processes with a clearly defined set of
roles and responsibilities
Progress monitoring: Oversees cyber security progress by establishing a clearly delineated program
scope with formal feedback loops
The following list is a summary of good information security governance practices that are critical for ensuring
the security of enterprise information assets and should be followed as part of this security architecture:
Information security responsibilities should be assigned and carried out by appropriately trained individuals.
Individuals responsible for information security within the organization should be held accountable for their
actions or lack of actions.
Information security priorities should be communicated to stakeholders of all levels within an organization to
ensure a successful implementation of an information security program.
Information security activities must be integrated into other management activities of the enterprise,
including strategic planning, capital planning, and enterprise architecture.
Information security managers should continuously monitor the performance of the security program/ effort
for which they are responsible, using available tools and information.
Information discovered through monitoring should be used as an input into management decisions about
priorities and funding allocation to effect the improvement of security posture and the overall performance
of the organization.
The minutes of meeting and action items for every management review meeting should be clearly defined,
documented, and tracked.
46 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
the business functions. For security resourcing, it is important to focus on both the people aspect as well as the
technological aspect. These two together will form the crux of the security in an organization.
Following principles should be taken care of while addressing the sourcing of the human resources component
for security:
Leverage People: At the end of the day, if an organization creates an elegant design but cannot staff it
with the right talent, it is likely to fail. Hence, finding the right talent and hiring them should be of the prime
importance.
Identification of roles to protect critical specialists: While sourcing, the organization should have a
clear understanding of the roles for which it is hiring and the specific responsibilities of the same.
Clarity of roles: In an increasingly dynamic and connected global economy, new organizations are
constantly being created and existing organizations are re-inventing themselves. In response, jobs and job
roles have been changing at a frenetic pace. Clarity of roles provides accountability, reduces confusion by
eliminating unintentional job overlap, establishes an objective basis for measuring and managing
performance and improves collaboration.
Optimize hierarchy: Any management layer should provide more value to lower levels than just
supervision.
Strengthen Accountability: If supervisors cannot assess their subordinates’ performance, they will not be
able to exercise adequate control. A good design strengthen accountability for work that the unit or
individual is performing.
The organization should base its sourcing keeping the abovementioned principles in mind.
47 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
Table 12. Attack surfaces and security technologies
Attack
Human Device Network Application
Surface
Vulnerability Assessment
Threat Intelligence
Security
Data Loss Prevention
Technology
to reduce Data Discovery
Attack
Surfaces BYOD DDoS Protection
EDR
Digital Forensics
Malware Analysis
Tokenization
Encryption
48 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
The common security technologies, which can be leveraged to address threats posed to various attack
surfaces, are given below. The table summarizes technology description, features and adoption requirements.
1. Asset Discovery
Description Asset Discovery helps organizations catalogue and locate its IT assets,
providing a continuous profile of all assets on the organization’s network.
The inventory information could then be used for configuration
management.
Adoption Endpoint
Requirements
Server
Network Device
2. Configuration Management
Features N/A
Adoption Endpoint
Requirements
Server
Network Device
3. Endpoint Management
Features N/A
Adoption Endpoint
Requirements
Server
49 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
S.No. Area Description
Description Identity and Access Management, enabled by its features, facilitates the
management of digital identities. It enables authorized individuals to access
resources at the right time for the right reasons.
Adoption All organization-wide systems and applications should integrate with and
Requirements leverage existing IAM solution.
Adoption Where possible, all infrastructure and critical enterprise applications should
Requirements integrate with the PIM solution.
6. Firewall
Description Firewall is a network security device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific traffic based
on a defined set of security rules.
Adoption On the edge of network zones (all internal and external traffic must go
Requirements through firewall)
50 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
S.No. Area Description
Description Virtual private network (VPN) is an encrypted connection over the Internet
from a device to a network. The encrypted connection helps ensure that
sensitive data is safely transmitted. It prevents unauthorized people from
eavesdropping on the traffic and allows the user to conduct work remotely.
Features N/A
Adoption
Endpoint
Requirements
8. IDS/IPS
Description Intrusion Detection System monitors network traffic and provides visibility
into security posture of the network.
Intrusion Prevention System inspects network traffic based on
predetermined rules, and decides if the data packets are allowed through
or should be blocked.
Adoption Network
Requirements
Description It allows users to access organization’s network and resources from remote
locations while minimizing the risk that an attacker can gain unauthorized
access to the same resources.
Adoption Network
Requirements
Description It is a firewall that monitors, filters or blocks data packets as they travel to
and from a Web applications. By applying rules for communication, it
protects web applications from common attacks such as cross-site scripting
(XSS) and SQL injection.
51 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
S.No. Area Description
Adoption
Application
Requirements
11 . Vulnerability Assessment
Adoption N/A
Requirements
Description SIEM solution centrally collects, stores, and analyses logs from perimeter
to end user. It monitors for security threats in real time for quick attack
detection, containment, and response with holistic security reporting and
compliance management. When the attack occurs in a network using
SIEM, the software provides insight into all the IT components (gateways,
servers, firewalls, and so on).
13 . Threat Intelligence
52 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
S.No. Area Description
Description Data Loss Prevention protects sensitive information from being lost,
misused or accessed by unauthorized users. It covers data at rest, data in
motion and data in use.
Adoption Endpoint
Requirements
Server
Network device
15 . Data Discovery
Description Data Discovery helps collect data from various locations such as
databases and endpoints, consolidating it into a single source that can be
easily and instantly evaluated. It allows users to search for specific items or
patterns in data set. It also leverages business intelligence enabling users
to build insights about organization’s data.
Features Visualization
Search engine
Data transformation
Adoption Endpoint
Requirements
Shared drive
16 . Database Firewall
53 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
S.No. Area Description
17 . Encryption
Description Encryption translates data into another format so that only people with
access to the decryption key can read it.
Adoption
Corporate system (laptop/ desktop)
Requirements
18 . Tokenization
19 . Code Scanning
Description Source code analysis tools are designed to analyse source code and/or its
complied versions to help organizations discover security flaws and
vulnerabilities. Code scanning is usually performed as part of source code
review.
Adoption
In-house developed software/ application
Requirements
Description GRC provides a common foundation for managing policies, controls, risks,
assessments and deficiencies across organization’s lines of business.
54 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
S.No. Area Description
Adoption N/A
Requirements
21 . Digital Forensics
Description Digital Forensics tools are used to search, preserve and analyse
information obtained from incident victim device and use it as evidence.
Adoption Network
Requirements
Endpoint
Standalone solution
22 . Malware Analysis
Adoption
Standalone solution
Requirements
Description Network ATP solution uncovers the stealthy threats that would otherwise
evade detection by leveraging global cyber intelligence networks combined
with local organizational context. It also prioritizes, investigates, and
remediates advanced threats across organization network. By monitoring
all traffic coming into or out of the network, the solution is able to inspect
traffic using the multiple advanced detection technologies.
24 . Email Security
55 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
S.No. Area Description
Adoption Server
Requirements
Description EDR tools typically record numerous endpoint and network events, and
store this information either locally on the endpoint or in a centralized
database. Databases of known indicators of compromise (IOC), behaviour
analytics and machine-learning techniques are then used to continuously
search the data for the early identification of breaches (including insider
threats), and to rapidly respond to those attacks.
Features Antivirus
Host-based Intrusion Detection System
Ingress/Egress firewall
APT
Adoption Endpoint
Requirements
Server
26 . Penetration Testing
Adoption
N/A
Requirements
56 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
S.No. Area Description
Description Network Access Control solution supports network visibility and access
management through policy enforcement on devices and users of
organization networks.
Adoption
Network
Requirements
28 . BYOD
Description BYOD solution provides secure access to business email, apps and
content on any device, allowing employees to use their personal mobile
devices and laptops for work.
Adoption
Endpoint
Requirements
29 . DDoS Protection
Adoption
Network
Requirements
57 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
S.No. Area Description
Adoption
N/A
Requirements
31 . Fraud Detection
Adoption
N/A
Requirements
58 Nepal GEA 2.0 Security Architecture | Leadership Commitment and Support for Security
6. Information Security Risk
Management
Identification of information security risks that may have an adverse impact on the business processes
Analysis of these risks to determine the likelihood of occurrence and its consequences on business
operations
Identification of strategy for mitigation of risks down to either zero or to an acceptable level of risk.
Given below is a reference risk management framework that should be followed by organizations. The given
framework is referenced from the standard ISO 27005 and is internationally recognized.
1. Inadequate patch Missing patches can leave loopholes in IT systems, and have
management process the potential to present serious cyber security risks to the
affected systems
2. Unnecessary system access Unmanaged system access can result in personnel obtaining,
changing, or deleting information that they are no longer
authorized to access. Related problems include:
o Administrators with false assumptions of what actions
any one user may be capable of performing
o Unauthorized disclosure of information: Disclosure of
confidential, sensitive or embarrassing information can
result in loss of credibility, reputation, market share,
and competitive edge
o Loss of productivity: Misuse of IT resources such as
network bandwidth may cause slow response times,
delaying legitimate computer activities that, in time-
critical applications such as stock trading, can be very
costly
o One user (or many individual users) with sufficient
access to cause complete failure
o Inability to prove responsibility for a given action or
hold a party accountable
o Accidental disruption of service by untrained
individuals
7. Ineffective risk management Lack of an adequate risk management process may result in
process the organization focusing its resources on mitigating risks of
little impact or likelihood, while leaving more important risks
unaddressed. It may also result in lack of focus on actual risks
that the organization may be facing.
9. Insecure SDLC Failure to secure the SDLC during software development can
leave the software susceptible to many application layer
security risks. It can further cause increment in business risks,
cost of security testing and resolution.
10 . Lack of physical security Failure to maintain proper physical security controls may
adversely affect the confidentiality, integrity, and availability of
the information
11 . Failure to incorporate security Acquisition of products and services that do not meet security
requirements in RfPs requirements or ones for which security features are
misunderstood
12 . Failure to request results of Acquisition of products that do not meet security requirements
independent security testing or ones for which security features are misunderstood
of hardware and software
prior to procurement
14 . Failure to request information A SDLC process that does not follow security development
from a third party on its practices will likely result in insecure software
secure SDLC process
Based on risk assessment, mitigation planning, and organizational context, the various processes, which
organizations should implement as security best practices, are given below.
2. Personnel security Human resource plays a very important in ensuring information security
within the organization. Therefore, it becomes important to address
information security requirements related to employees throughout the
lifecycle of an employee/ staff from hiring to separation. These include
but not limited to background checks, trainings, deletion of access etc.
3. Physical and Effective physical security measures help protect against unauthorized
environmental access, damage, or interference in areas where critical or sensitive
security information is prepared or located, or where information processing
services supporting key business processes are hosted.
The requirements and placement of each physical security barrier /
control should depend upon the value of the information or service
being protected.
Each level of physical protection should have a defined security
perimeter, around which a consistent level of physical security
protection should be maintained.
Physical information processing resources that support key business
processes should be housed in a secure area that should be designed
to reasonably protect the resources from unauthorized physical access,
fire, flooding, explosions, and other forms of natural or man-made
disaster.
4. Communications and Communication will help to minimize information security risk to a great
operations extent and protect the organization against threat of unintended
management information disclosure.
The primary objectives of communications and operations
management include:
o Correct and secure operation of systems
o Responsibilities and procedures for management and
operation of systems are established
o Segregation of duties, where appropriate, are implemented
o Development, test, and production environments are separated
o Appropriate information security and service delivery in line
with contractual agreements
o Risk of system failures are minimized
o Availability of adequate capacity to deliver required system
performance
o Safeguards are implemented to prevent, detect, and remove
malicious code
o Integrity and availability of information and information
technology are maintained, etc.
5. Change management Objective of this process is to ensure all changes are assessed,
approved, implemented and reviewed in a controlled manner.
The primary purpose of the change management process is to ensure
that standardized methods and procedures are used for efficient and
prompt handling of all changes, in order to minimize impact of change-
related Incidents upon service quality and consequently to improve
day-to-day operations of the organization.
6. Third party In order to have a seamless expected level of service from third
management parties, organizations should have effective procedures controlling and
monitoring the third party’s activities to ensure confidentiality, integrity
and availability of information, enabling organizations to provide
services and conduct its operations without any interruptions.
Objective of third party management is to ensure that third parties who
are given access to organization’s information and facilities, have
extremely limited and controlled access to the information systems
assets, and to apply preventive and monitoring mechanisms
commensurate to the level of criticality and sensitivity of the information
shared.
7. Systems planning Systems planning and acceptance processes enable system/ capacity
and acceptance planning and new system acceptance into the existing infrastructure to
minimize the risk of system failures.
This process also entails advance planning and preparation required
for ensuring the availability of adequate capacity and resources to
deliver the required system performance, and on the acceptance and
use criteria with respect to the operational requirements of new
systems.
8. Antivirus and Organizations use various types of software and information assets
malicious software that may be vulnerable to the introduction of malicious code, such as
control computer viruses, network worms, trojan horses and bots.
Malicious software control processes aim to detect and prevent the
spread of virus, malicious code and other spyware/ malware through
mobile codes and other modes in order to secure the various
information assets owned by the organization.
The process includes the controls regarding detection, prevention, and
recovery, and appropriate user awareness processes to avoid
unauthorized use or disruption of system, network, or application
resources and other breaches of information security.
9. Data backup and The purpose of backup and restoration process is to maintain the
restoration integrity and availability of information and data present in the
organization.
Routine processes for carrying out the agreed back-up strategy, taking
backup copies of data and rehearsing their timely restoration.
Adequate back-up facilities should be provided to ensure that all
essential information and software can be recovered following an
application failure/ malfunction, data corruption, media failure or a
disaster.
11 . Media handling Organizations generally use various types of media to store data and
information. The main types are paper, compact disks, and magnetic
tapes. Media contains confidential proprietary information that needs to
appropriately handled.
All organizational information should be protected and safeguarded
from being leaked out. In this regard, processes for media storage,
protection mechanisms (such as passwords, lock & keys) for the same,
transportation mechanisms, review and replacement of IT media, and
disposal of media should be established.
12 . Monitoring Monitoring processes are necessary to ensure that users are only
performing activities that have been explicitly authorized.
Monitoring is an important aspect of security as it serves a dual
purpose of acting as a deterrent to malicious activity and provides audit
trails for reconstruction whenever required.
Monitoring should be performed in a systematic manner and
procedures should be administered to ensure the required controls are
in place around the monitoring mechanism.
13 . Access control It is important to implement an effective and efficient process for user
access management since it reduces the risks associated with
unauthorized access, modification or disclosure of data that could lead
to compromise of critical information, which in turn could result in
financial and reputation losses to the organization.
The user access management process is deployed for controlled
access to information and information resources based on
organizational business and security requirements.
Consistent and robust processes should be in place for user access
provisioning, user access de-provisioning, privilege access
management, password management, and periodic review of user
access.
15 . Cryptography This process addresses the use of cryptographic controls to protect the
management confidentiality, authenticity or integrity of information. This process
assures that the organization has capabilities to deal with increasing
data / information security requirements.
The implementation of cryptographic security controls is important for
organizations to ensure that the information systems are secure, and
compliant with legal and regulatory requirements.
17 . Information labelling Information labelling and handling process enumerates a set of rules
and handling for information labelling and handling which should be implemented in
accordance with the classification scheme adopted by the organization.
This process details the procedures to label and handle organization’s
information systems assets in order to protect them from unauthorized
disclosure and misuse.
The Information labelling and handling process should be used in
conjunction with the organization’s asset classification process and
standard.
18 . Audit management The purpose of this process is to familiarize all concerned with the work
practices adopted for conducting Information security audits (Internal
and External). An annual audit program should be established that
contributes in the determination of the effectiveness of information
security practices.
The management should ensure that audit objectives are established
and entrust lead internal auditor with the responsibility to manage the
program. Further, it will also help to standardize the audit methodology
and maintain optimum quality of results.
The audit program should focus on those entities that are of
significance to the management of the organization. The audit program
should have one external and internal audit as part of the audit
calendar.
The external security audit should be conducted every year, and
should be conducted by the external agency to ensure compliance to
the management system requirements. The internal audits should be
conducted by a separate team who is not part of information security
team.
19 . Security control Purpose of this process is to define the approach for measuring the
effectiveness effectiveness of implemented security controls in order to lower the risk
measurement exposure to an acceptable level. Risk analysis process defines the
critical variables that, when monitored, shows the risk exposure level
and effectiveness of the existing controls. Organizations should
establish a measurement system capable of determining the
effectiveness of controls in accordance with Annex A of the ISO
27001:2013 standard.
The objective of establishing this process is:
o To show ongoing improvement and enhancement of the
Information security controls
o To show level of compliance (with Standards, contracts, SLAs,
OLAs, etc.).
o To justify the return on investment for the security controls
implemented.
o To justify any past/ future expenditure (new security software,
hardware, training etc.).
o To identify where implemented controls are not effective in
meeting their objectives.
o To provide confidence to senior management and stakeholders
that implemented controls are capable of lowering the risk
exposure of the organization, to an acceptable level.
20 . IT infrastructure and The objective of this process is to establish security governance gates
application security to move new IT infrastructure (server/ device) or an application to
governance production environment. This process should be applicable on all
applications that move from pre-production/ development environment
to production environment for first time or any further upgrades.
Any chances to production application/ servers/ devices for business
needs should follow change management process and security
component should be a part of the change management process.
It is important to carry out security assessment of IT infrastructure,
including servers, network devices, applications and other components,
before commissioning into production in order reduce information
security risk to ensure a safe and secure computing environment.
IT infrastructure and application security process provides a guideline
to secure production environment from known attacks and be
compliant to legal requirements (such as Electronic Transaction Rules
2064 (2007) and The Electronic Transactions Act, 2063 (2008)).
22 . Exception Exceptions are deviations reported against the defined and approved
management organizational policies for specified periods. Policy exceptions are
reported due to change in business circumstances or due to any
technology constraint.
The purpose of exception management process is to ensure that
adequate mechanism is in place to report any policy exception.
The main objectives of exception management process are to ensure
the following:
o Establish a process for obtaining exception of security policies
along with document, approve and retain the policy exception
records.
o Identification of risks that arises due to policy exception.
o Ensure risks are accepted by business owners.
o Implementation of appropriate control to bring residual risk
within acceptable risk value range.
o Track approved policy exception for the approved time period.
o Ensure policy exceptions extensions are contained and are not
reported more than three times.
23 . VPN access The objective of the VPN access management process is to ensure
management that only the authorized users have access to the organizational
systems.
26 . Incident management Information is an asset and like other important business assets, the
information asset has value to an organization and consequently needs
to be secured. Handling information breaches is different from regular
incident management and requires additional actions by an
organization.
Information security incident can impact any of the information
attributes confidentiality, integrity and availability, and thus security
incident response and management capability is necessary for
detecting information security incidents, minimizing loss and damage,
mitigating the exploited weaknesses and restoring information assets
and facilities in a timely manner.
The objective of this process is to manage security incidents
consistently and effectively. Security incident response is the ability to
detect and resolve problems that threaten people, process, technology
and facilities. This process ensures:
o Incident Identification
o Timely reporting & appropriate response
o Validation, Analysis
o Containment
o Restoration of partial or complete service based on
management expectation
o Root Cause Analysis
o Employee Health & Safety during incident
o Embedment of incident learning into the organization
o Non recurrence
1. Unneeded services running Many operating systems are shipped and installed with a
on organizational network number of services running by default. Every service that runs
is a security risk, partly because intended use of the service
may provide access to system assets, and partly because the
implementation may contain exploitable bugs. Services should
run only if needed, and an unneeded service is a vulnerability
with no benefit.
2. Inadequate log management Inadequate log management can lead to various security
and integrity checking issues:
o Failure to detect critical events.
o Removal of forensic evidence.
o Log wipes.
Similarly, inadequate integrity checking can lead to issues such
as:
o Compromise of smart device, head node, or utility
management servers.
o Buffer overflows.
o Covert channels.
o Man-in-the-middle.
o Denial of service or distributed denial of service (DoS /
DDoS).
4. Inadequate network Direct compromise of any portion of the network from any other
segregation portion of the network
Compromise of the utility network
VLAN hopping
Network mapping
Service / device exploit
Covert channels
Back doors
Worms and other malicious software
Unauthorized multi-homing
o Session hijacking
o Authentication sniffing
o Session injection
8. Insecure firmware updates Insecure firmware updates may allow the introduction of
malware into critical grid equipment. As this malware can
potentially alter the behaviour of that equipment, the
consequences can be serious.
9. Application layer risks (such Exploitation of application layer weaknesses may result in a
as OWASP Top 10) confidentiality, integrity, or availability impact on the system.
Refer Annexure 3 – Common Web Application Security Risks and
Security Vulnerabilities for more details.
10 . Insufficient patch Missing patches can leave loopholes in IT systems, and have
management the potential to present serious cyber security risks to the
affected systems
Based on risk assessment, mitigation planning, and organizational context, an illustrative list of various security
tools and technologies, which organizations can implement as security best practices, are given in Section
“Tools and Technologies”.
6. File Integrity File integrity checkers provide a Identifies changes General file system
Checking way to identify that system files to important files; knowledge; ability to
have been changed computing can also identify use automated file
and storing a checksum for certain forms of integrity checking
every guarded file, and unwanted files, tools and interpret
establishing a file checksum such as well-known the results
database. attacker tools
File integrity checking is most
effective when system files are
compared with a reference
database created using a
system known to be secure—
this helps ensure that the
reference database was not built
with compromised files. The
reference database should be
stored offline to prevent
attackers from compromising the
system and covering their tracks
by modifying the database.
2. Network port Network port and service Discovers General TCP/IP and
and service identification involves using a port active devices networking
identification scanner to identify network ports knowledge;
and services operating on active Discovers knowledge of ports
hosts and the application that is open ports and and protocols for a
running each identified service. associated variety of operating
services/ systems; ability to
applications use port scanning
tools; ability to
interpret results from
tools
Table 21. Illustrative SLAs for service providers for security implementation services
justification and
approval in place.
Submission of
report to the
organization.
All findings should be remediated in a timely manner to ensure minimal technology risk prior to system
commissioning.
Testing Scope
The penetration testing should cover the entire application and the infrastructure hosting the applications
(e.g. web/ app server, DB server etc.)
The web/ mobile application penetration test should cover all functions and pages of the application.
Whitebox/ greybox testing should be conducted on the production code in an UAT environment.
Where applicable, the testing result should be verified in production environment in a non-intrusive manner.
Methodology
A phased information security assessment methodology offers a number of advantages. The structure is easy
to follow, and provides natural breaking points for staff transition. Its methodology should contain at minimum
the following phases:
Planning – Critical to a successful security assessment, the planning phase is used to gather information
needed for assessment execution – such as the assets to be assessed, the threats of interest against the
assets, and the security controls to be used to mitigate those threats – and to develop the assessment
approach. A security assessment should be treated as any other project, with a project management plan
to address goals and objectives, scope, requirements, team roles and responsibilities, limitations, success
factors, assumptions, resources, timeline, and deliverables.
Execution – Primary goals for the execution phase are to identify vulnerabilities and validate them when
appropriate. This phase should address activities associated with the intended assessment method and
technique. Although specific activities for this phase differ by assessment type, upon completion of this
phase assessors will have identified system, network, and organizational process vulnerabilities.
Post-Execution – The post-execution phase focuses on analysing identified vulnerabilities to determine
root causes, establish mitigation recommendations, and develop a final report.
The objective of network vulnerability assessments is to identify weaknesses, which may lead to
vulnerabilities on host systems and network devices being exploited remotely.
The purpose of application penetration testing is to identify the weaknesses and vulnerabilities on the web
and mobile applications and the associated web services and interfaces to other systems.
The test should follow a standardised methodology such as OWASP testing guide or other best practices.
The test should be a combination of automated scanning and manual testing.
The test shall include OWASP Top 10 vulnerabilities, SANS top 25, as well as the following areas:
o Buffer overflows
o Denial of Service (DoS)
o Insecure access control mechanism
o Malicious code injection
o Cross-Site Request Forgery (CSRF)
o Cross-Frame Scripting (CFS)
o Insecure authentication and session management
o Insecure direct object references
o Insecure cryptographic storage
o Insufficient transport layer protection
Reporting Format
The penetration testing and network vulnerability assessment report should include the following sections
91 Nepal GEA 2.0 Security Architecture | Annexure 2: Common Web Application Security Risks and
Security Vulnerabilities
9. Common Web Application
Security Risks and Security
Vulnerabilities
For web applications, common security risks should be tested and mitigated. Provided by OWASP, the top ten
web application security risks are given below:
1. A1:2017 - Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur
when untrusted data is sent to an interpreter as part of a command or
query. The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper
authorization.
3. A3:2017 - Sensitive Many web applications and APIs do not properly protect sensitive data,
Data Exposure such as financial, healthcare, and PII. Attackers may steal or modify
such weakly protected data to conduct credit card fraud, identity theft,
or other crimes. Sensitive data may be compromised without extra
protection, such as encryption at rest or in transit, and requires special
precautions when exchanged with the browser.
92 Nepal GEA 2.0 Security Architecture | Annexure 2: Common Web Application Security Risks and Security Vulnerabilities
S.No. Risk Description
7. A7:2017- Cross-Site XSS flaws occur whenever an application includes untrusted data in a
Scripting (XSS) new web page without proper validation or escaping, or updates an
existing web page with user-supplied data using a browser API that
can create HTML or JavaScript. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user sessions, deface
web sites, or redirect the user to malicious sites.
8. A8:2017- Insecure Insecure deserialization often leads to remote code execution. Even if
Deserialization deserialization flaws do not result in remote code execution, they can
be used to perform attacks, including replay attacks, injection attacks,
and privilege escalation attacks.
10 . A10:2017- Insufficient Insufficient logging and monitoring, coupled with missing or ineffective
Logging & Monitoring integration with incident response, allows attackers to further attack
systems, maintain persistence, pivot to more systems, and tamper,
extract, or destroy data. Most breach studies show time to detect a
breach is over 200 days, typically detected by external parties rather
than internal processes or monitoring.
The various attack vectors, security weaknesses, their impact, description of when a web application is
vulnerable to the above given risks, and a guideline on how these risks can be prevented along with example
attack scenarios can be obtained by all organizations from www.owasp.org.
Some of the most dangerous errors that are the commonly reported security vulnerabilities, as described by
SANS, are given below. Apart from OWASP, all organizations should cater to these.
1. CWE-89: Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection')
3. CWE-120: Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
4. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-Site Scripting')
93 Nepal GEA 2.0 Security Architecture | Annexure 2: Common Web Application Security Risks and Security Vulnerabilities
S.No. ID and Name
94 Nepal GEA 2.0 Security Architecture | Annexure 2: Common Web Application Security Risks and Security Vulnerabilities
10. Annexure 3: Cloud
Security
IdAM
IdAM should be used for federated authentication via SAML 2.0. Exception should be requested through the
IdAM service for instances where account attributes are required to be synchronized with the provider. In all
cases, the IdAM must provide the authentication. Where technically feasible, organizations should own the
entire authentication and authorization life cycle, including account management.
Built-in functionality for identity and access management in cloud services will be leveraged for in-cloud
authorisation. However, no user entities of the organizations will be created nor maintained in the cloud
provider's IAM service. User entities including userIDs, groups, service accounts and roles may be
synchronised to the provider's IAM from organization’s existing active directory. All authentication to cloud
services for both normal and privileged users will use the IdAM.
Privileged access
Edge devices that manages and logs all ingress traffic into and all egress traffic out of the Cloud
Environment should be controlled and managed.
All unused ports and protocols should be blocked both inbound and outbound. More specifically, the traffic
that is allowed should be explicitly authorized and monitored in the firewall ruleset with the final clean-up
rule that drops all traffic that is not allowed by the earlier rules.
A next-generation firewall may be utilized as a deep-packet inspection firewall e.g. including application-
level inspection and intrusion prevention.
Public IP addresses
Removal of public IP addresses will control external access for a Virtual Machine (VM). The IaaS VMs
should have all endpoints removed when provisioning in VC.
No public IP address should be allowed on any frontend or backend Network Interface Cards (NICs).
Public IP addresses can be either dynamic or reserved. Since a public IP address is required to connect to
Cloud services, access to VMs should be restricted using endpoint access lists and edge firewall for
approved external facing services.
Load Balancing
Load balancing capabilities performed by Cloud Service Providers can be used for public-facing
applications to accept connections into the cloud environment and to provide scalability to the ingress/
egress virtual firewalls.
Internal load balancers can be used between virtual machines that are on internal virtual networks or cloud
service, and should not be used to load balance traffic from the internet to internal endpoints.
10.2.3. Encryption
One of the keys to data protection in the cloud is accounting for the possible states in which the data may
occur, and what controls are available for that state. For the purpose of data security and encryption, GEA’s
recommendations will be around the following data’s states:
Data at-rest
This includes all information storage objects (e.g. Files), disk or volume and databases (e.g. SQL server).
Encryption can happen on the storage level, disk/ volume level and database level. However, encryption
should take place at the highest level as possible. It should be ensured that the data object and its content
is always stored encrypted.
Data in-transit
When data is being transferred between components, locations or programs, such as over the network,
across a service bus, or during an input/output process, it is thought of as being in-motion.
For internally developed applications, the development process should incorporate the use of secure source
code analysis. All applications migrated to the cloud will follow an application security assessment cycle.
Organizations should use a container orchestration tool to introduce the containers securely. If possible, group
container based on their security and purpose to make it harder in case of a compromise to compromise other
groups. Smart grouping makes the breach easier to detect and contain.
IdAM should be used, except for instances where account attributes need to be synchronized with the
provider. In all cases, the IdAM should be the authentication resource.
Multi-Factor Authentication should be used for Cloud Administration.
Role Based Access Control should be in place following the “least privileged” or “need to know” model,
where individuals only have access to the resources they are authorized to use.
PaaS services should use service accounts that are tied to a specific set of services per each application.
API keys need to be encrypted within the application itself and securely stored and managed outside of the
application.
10.3.3. Encryption
Encryption in transit and encryption at rest need to be utilized. All data moving from or to the Cloud Application
should be encrypted in transit via TLS or VPN. Data transfer between the PaaS Applications needs to be
encrypted by utilizing TLS version 1.2 and higher. All data at-rest must be stored in a strong encrypted format.
If possible, organizations should have full control and ownership over encryption keys e.g. create, rotate, and
revoke.
For internally developed applications, the development process should incorporate the use of secure source
code analysis. All applications migrated to the cloud will follow an application security assessment cycle.
IdAM should be used for federated authentication via SAML 2.0, except for instances where account attributes
need to be synchronized with the provider. In all cases, the IdAM should still be the authentication resource.
Multi-Factor Authentication should be used for Cloud Administration. Role Based Access Controls (RBAC)
should be in place following the “least privileged” or “need to know” model, where individuals only have access
to the resources they are authorized to use.
10.4.2. Encryption
Encryption in transit and encryption at rest need to be utilized for SaaS services. All data moving from or to the
cloud Application should be encrypted in transit via TLS or VPN. Data transfer between the SaaS Applications
needs to be encrypted by utilizing TLS version 1.2 and higher. The SaaS provider must store the organization’s
data in an encrypted format or in a manner to which it cannot be assembled if extracted from their cloud service
provider’s environment.
If possible, organizations should have full control and ownership over encryption keys (e.g. create, rotate, and
revoke).
2. User identity It is very important for the organizations to keep control over user
federation identities as they move services and applications to the different cloud
providers. Rather than letting cloud providers create multiple islands of
identities that become too complex to manage down the line, users
should be uniquely identifiable with a federated authentication (e.g.
SAML) that works across the cloud providers. User experience is
enhanced when he/she does not manage multiple user ids and
credentials. This allows easier back-end data integrations between
cloud provides.
5. User privacy and User's personal data gets stored in the cloud as users start using social
secondary usage of web sites. Most of the social sites are vague about how they will handle
data users personal data. Additionally most of the social sites go with the
default share all (least restrictive) setup for the user. Organizations
need to ensure with cloud providers what data can or cannot be used
by them for secondary purposes. It includes data that can be mined
directly from user data by providers or indirectly based on user
behaviour (clicks, incoming outgoing URLs etc.).
6. Service and data The security of data in transit should be a great concern to every
integration organization. In the cloud computing solution, the data are transmitted
between the end user and cloud data center. While utilizing cloud, the
transmission is carried over the internet, where there is an increase in
risk for the organization. Unsecured data is susceptible to interception
and compromise during transmission.
7. Multi tenancy and Multi-tenancy in cloud means sharing of resources and services among
physical security multiple clients(CPU, networking, storage/databases, application
stack). It increases dependence on logical segregation and other
controls to ensure that one tenant deliberately or inadvertently can not
interfere with the security of the other tenants. In addition, there is the
possibility of misconfiguration, uncoordinated change controls, and
single point of failure.
8. Incident analysis and In the event of a security incident, applications and services hosted at a
forensic support cloud provider are difficult to investigate as logging may be distributed
across multiple hosts and data centers, which could be located in
various countries and hence governed by different laws. In addition,
the multiple customers are storing the data in same shared hardware
and data center, issues in law enforcement will arise during forensic
recovery.
9. Infrastructure security All infrastructure should be hardened and configured securely, and the
hardening/ configuration baselines should be based on industry best
practices. Applications, systems and networks should be architected
and configured with security zones, and access should be configured
to only allow required network and application protocols. Administrative
access should be role-based, and granted on a need-to-know basis.
Failure to keep the system and network device up-to-date might
compromise the system security. Running of services that include
security-related bugs will enhance the possibility of infrastructure
becoming a target for the security exploit. In addition, configuration
mistakes and coding errors also enhance the exploitability chances.
Features
Device
Field Gateway
Cloud gateways
Services
Zones are broad way to segment a solution; each zone often has its own data and authentication and
authorization requirements. Zones can also be used to isolation damage and restrict the impact of low trust
zones on higher trust zones.
Each zone is separated by a Trust Boundary, which is noted as the dotted line in the following diagram. It
represents a transition of data/ information from one source to another. During this transition, the data/
information could be subject to threats of the following nature: Spoofing, Tampering, Repudiation, Information
Disclosure, Denial of Service and Elevation of Privilege (STRIDE).
The zones depicted within each boundary are also subjected to STRIDE. The following sections elaborate on
each of the components and specific security concerns and solutions that should be put into place.
A field gateway is different from a mere traffic router in that it has had an active role in managing access and
information flow, meaning it is an application addressed entity and network connection or session terminal. A
NAT device or firewall, in contrast, does not qualify as field gateways since they are not explicit connection or
session terminals, but rather a route (or block) connections or sessions made through them. The field gateway
A cloud gateway may potentially be mapped into a network virtualization overlay to insulate the cloud gateway
and all of its attached devices or field gateways from any other network traffic. The cloud gateway itself is not a
device control system or a processing or storage facility for device data; those facilities interface with the cloud
gateway. The cloud gateway zone includes the cloud gateway itself along with all field gateways and devices
directly or indirectly attached to it. The edge of the zone is a distinct surface area where all external parties
communicate through.
Code signing
Code signing cryptographically ensures that code has not tampered after they have not been signed at the
software and firmware level. Examples of such implementations are Trusted Platform Module (TPM) that
performs the cryptographic signing and protects the signing keys.
Runtime protection
Runtime protection ensures code is not overwritten by malicious code after it is loaded. Examples of such
implementation are secure booting to ensure only verified software will run on the device.
Physical security protection
Physical security protection ensures that physical tampering is prevented when physical access is gained
to the device by an intruder. Examples of such implementation are full metal shield covering/ casing for all
internal circuitry.
Host-based protection
Host-based protection ensures that code is protected after code begins running. Examples of such
implementations are hardening, lockdown, whitelisting, sandboxing, network-facing intrusion prevention,
behavioural and reputation-based security, including blocking, logging, and alerting, some of which has
been adapted for IoT security.
2. Insecure Network Unneeded or insecure network services running on the device itself,
Services especially those exposed to the internet, that compromise the
confidentiality, integrity/ authenticity, or availability of information or
allow unauthorized remote control.
3. Insecure Ecosystem Insecure web, backend API, cloud, or mobile interfaces in the
Interfaces ecosystem outside of the device that allows compromise of the device
or its related components. Common issues include a lack of
authentication/ authorization, lacking or weak encryption, and a lack of
input and output filtering.
4. Lack of Secure Lack of ability to securely update the device. This includes lack of
Update Mechanism firmware validation on device, lack of secure delivery (unencrypted in
transit), lack of anti-rollback mechanisms, and lack of notifications of
security changes due to updates.
6. Insufficient Privacy User’s personal information stored on the device or in the ecosystem
Protection that is used insecurely, improperly, or without permission.
7. Insecure Data Lack of encryption or access control of sensitive data anywhere within
Transfer and Storage the ecosystem, including at rest, in transit, or during processing.
9. Insecure Default Devices or systems shipped with insecure default settings or lack the
Settings ability to make the system more secure by restricting operators from
modifying configurations.
All of organization’s data, including information entrusted to the organization from third parties falls into either of
the classifications listed below, presented in order of decreasing sensitivity.
Confidential
Confidential data is categorized as regulated or controlled data that has legal ramifications if disclosed either
internally or externally, or data that if improperly disclosed or accessed without authorization, will cause grave
damage to the organization’s competitive advantage, its business partners, and/or the privacy or financial
viability of its customers or associates. This category of data is extremely sensitive in nature and may not be
shared except when deemed absolutely necessary for continuation of business.
Internal
Internal data is categorized as sensitive business data concerning the organization, organization’s external
business partners and/or customers. All of organization’s associates may be provided access to this level of
data. A non-disclosure agreement is required before access to this level of data is granted to third-party
individuals. At a minimum, external parties who receive the organization’s internal data are required to strictly
comply with the handling requirements.
Training material
Company policy and organization chart
Employee work phone and email address
Market Research
Public
This type of data does not require special handling, marking or storage. However, only authorized associates
should make public data known to the general public (e.g. public relations). There are no restrictions on who
may read public data.
1. API authentication API authentication is important to protect against various cyber attacks.
Typically, the username and password are not passed in day-to-day
API calls. Rather, an API key or bearer authentication token is passed
in the HTTP header or in the JSON body of a RESTful API. Tokens
should expire regularly to protect against replay attacks.
By using client certificates and certificate pinning in organizational
applications, man-in-the middle attacks can be prevented and it can be
ensured that only authorised applications can access the API.
2. API authorization Access should be restricted to only what is required and who needs it.
3. API encryption API data should be protected from unauthorized access via encryption.
Depending on the specific API protocol, one of the following methods
for API encryption can be used:
o HTTPs should be implemented to protect the request in transit,
so that the messages are secured and encoded with TLS.
o JSON WEB TOKEN: For JSON response data, JSON Web
Token (JWT) is an open standard that defines ways to securely
transmit information as a JSON object between parties. JWTs
can be signed using a secret (with the HMAC algorithm) or a
public/ private key pair using RSA.
4. Application layer Attacks against API endpoints are one common means of
security compromising applications via APIs. Some of the common attacks
include:
o Cross-site scripting – Malicious scripts are injected into one of
the request parameters.
o Code injection – Inject valid code to services, such as SQL
(SQL injection) or XQuery, to open the interface to user control
o Business logic – Allows the attacker to circumvent the
business rules
o Parameter pollution attacks – Exploit the data sent in the API
request by modifying the parameters of the API request.
6. API logging API transactions should always be logged. Logs can help resolve
security issues, as well as monitor activity and discover any patterns or
excessive usage that could signal an intrusion or intrusion attempt.
When configuring API logs, it is a good practice to return simple error
objects with the conventional HTTP status code, and to keep required
error messages to a minimum. This will improve error handling and
protect API implementation details from an attacker.
7. Throttling and rate When protecting APIs against abuse or DDoS attacks, it is necessary
limiting to have rules that restrict usage once certain criteria are met. This
would include requests per time unit, bandwidth limits, or monthly
quotas.
Rate limiting is important if API is public-facing. It will help protect the
API and back-end from DOS.
8. Blocking large Some attackers may try to overwhelm the API or trigger a buffer
requests and overflow vulnerability with large requests. These may be in the form of
responses a large JSON body or even unusually large individual JSON
parameters within the request. Also, an abnormally large response may
be and indicator of data theft.
9. Input validation Organizations should apply strict user input validation, including:
o Restricting, where possible, parameter values to a whitelist of
expected values
o Facilitating a whitelist (have strong typing of input value)
o Validating posted structures data against a formal schema
language to restrict the content and structure.
SQL Injection attacks on standard web applications are common,
though these and other input abuse attacks can be carried out against
APIs as well. For example, SQL, PHP, xpath/ xquery, LDAP DN/ LDAP
Query, BASH Script, JavaScript or other code can be entered into a
JSON parameter within an API request body.
All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual
property laws and treaties. Any unauthorised use of these images may violate such laws and shall be punishable
under appropriate laws. Our sharing of this presentation along with such protected images with you does not
authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works based
on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub-license or reverse engineer the images.
In addition, you should desist from employing any data mining, robots or similar data and/or image gathering and
extraction methods in connection with the presentation.
© 2019 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to
PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or
CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited
(PwCIL), each member firm of which is a separate legal entity.
[August]/Month Year-17205