Professional Documents
Culture Documents
Dr Ayman El Hajjar
January 23, 2023
School of Computer Science and Engineering
University of Westminster
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
O UTLINE
1. Information Systems
3. Attack surface
5. Penetration testing
1
Information Systems
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
2
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
3
Cyber Security Fundamentals
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
4
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
Confidentiality
✺ Data Confidentiality- Assures that private information is not
made available or disclosed to unauthorized individuals
✺ Privacy- Assures that individuals control or influence what
information related to them may be collected and stored and by
whom and to whom that information may be disclosed
5
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
Confidentiality
✺ Data Confidentiality- Assures that private information is not
made available or disclosed to unauthorized individuals
✺ Privacy- Assures that individuals control or influence what
information related to them may be collected and stored and by
whom and to whom that information may be disclosed
Integrity
✺ Data Integrity- Assures that information and programs are
changed only in a specified and authorized manner
✺ System integrity- Assures that a system performs its intended
function in an unimpaired manner, free from any manipulation.
5
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
Confidentiality
✺ Data Confidentiality- Assures that private information is not
made available or disclosed to unauthorized individuals
✺ Privacy- Assures that individuals control or influence what
information related to them may be collected and stored and by
whom and to whom that information may be disclosed
Integrity
✺ Data Integrity- Assures that information and programs are
changed only in a specified and authorized manner
✺ System integrity- Assures that a system performs its intended
function in an unimpaired manner, free from any manipulation.
Availability
✺ Availability- Assures that systems work promptly and service is
not denied to authorized users 5
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
Authenticity
✺ Authenticity- Verifying that users are who they say they are and
that each input arriving at the system came from a trusted source
6
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
Authenticity
✺ Authenticity- Verifying that users are who they say they are and
that each input arriving at the system came from a trusted source
Accountability
✺ Accountability- The security goal that generates the
requirement for actions of an entity to be traced uniquely to that
entity
6
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
CIA T RIAD
8
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
High
✺ The loss could be expected to have a severe or catastrophic
adverse effect on organizational operations, organizational
assets, or individuals
9
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
High
✺ The loss could be expected to have a severe or catastrophic
adverse effect on organizational operations, organizational
assets, or individuals
Moderate
✺ The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals
9
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
High
✺ The loss could be expected to have a severe or catastrophic
adverse effect on organizational operations, organizational
assets, or individuals
Moderate
✺ The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals
Low
✺ The loss could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals
9
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
✺ Confidentiality
☞ Student grade information is an asset whose confidentiality is
considered to be highly important.
☞ Regulated by the Data Protection Act in the UK.
10
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
✺ Confidentiality
☞ Student grade information is an asset whose confidentiality is
considered to be highly important.
☞ Regulated by the Data Protection Act in the UK.
✺ Integrity
☞ Inaccurate Patients information could result in serious harm or
death to patients and expose the hospital to massive liability.
☞ A Web site that offers a forum to registered users to discuss some
specific topic would be assigned a moderate level of integrity.
☞ A low-integrity requirement example is an anonymous online poll
10
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
✺ Confidentiality
☞ Student grade information is an asset whose confidentiality is
considered to be highly important.
☞ Regulated by the Data Protection Act in the UK.
✺ Integrity
☞ Inaccurate Patients information could result in serious harm or
death to patients and expose the hospital to massive liability.
☞ A Web site that offers a forum to registered users to discuss some
specific topic would be assigned a moderate level of integrity.
☞ A low-integrity requirement example is an anonymous online poll
✺ Availability
☞ Critical components need a high level of availability.
☞ A moderate availability requirement is a public university Web site.
☞ An online telephone directory lookup application would be
classified as a low-availability requirement
10
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
✺ Categories of vulnerabilities
☞ Corrupted (loss of integrity)
☞ Leaky (loss of confidentiality)
☞ Unavailable or very slow (loss of availability)
11
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
✺ Categories of vulnerabilities
☞ Corrupted (loss of integrity)
☞ Leaky (loss of confidentiality)
☞ Unavailable or very slow (loss of availability)
✺ Threats
☞ Capable of exploiting vulnerabilities
☞ Represent potential security harm to an asset
11
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
✺ Categories of vulnerabilities
☞ Corrupted (loss of integrity)
☞ Leaky (loss of confidentiality)
☞ Unavailable or very slow (loss of availability)
✺ Threats
☞ Capable of exploiting vulnerabilities
☞ Represent potential security harm to an asset
✺ Attacks (threats carried out)
☞ Passive – attempt to learn or make use of information from the
system that does not affect system resources
☞ Active – attempt to alter system resources or affect their operation
☞ Insider – initiated by an entity inside the security parameter
☞ Outsider – initiated from outside the perimeter
11
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
E XAMPLES OF THREATS
13
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
14
Attack surface
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
ATTACK S URFACE
15
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
ATTACK S URFACE
15
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
ATTACK S URFACE
15
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
ATTACK S URFACE
15
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
ATTACK T REES
17
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
T HE T EN S ECURITY P RINCIPLES
19
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
E CONOMY OF MECHANISM
20
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
21
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
C OMPLETE MEDIATION
22
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
O PEN DESIGN
23
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
S EPARATION OF PRIVILEGE
24
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
L EAST PRIVILEGE
25
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
26
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
P SYCHOLOGICAL ACCEPTABILITY
27
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
W ORK FACTOR
28
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
C OMPROMISE RECORDING
29
Penetration testing
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
30
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
31
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
T ESTS BASIS
W HY P ENTESTING
☞ Mitigate risk
☞ Legal and compliance
☞ Validate/Invalidate Security Controls
☞ Find and Mitigate Vulnerabilities
☞ Prevent compromise
33
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
34
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
35
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
A NATOMY OF AN ATTACK
36
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
37
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
38
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
39
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
40
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
41
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
42
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
43
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
✺ Career criminal
✺ Amateurs ☞ Well-planned attacks,
☞ Not very sophisticated usually for financial gain
✺ Crackers ✺ Military
☞ Access resources without ☞ Done to disable opposing
permission forces & gain strategic
advantage
44
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
M OTIVATION EXAMPLES
45
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
S OCIAL E NGINEERING
46
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
47
Information Systems Cyber Security Fundamentals Attack surface Fundamental security design principles Penetration testing
R EFERENCES
48