Fundamentals of Information Security

yovan7raja@gmail.
com
FCQDU25HIV
Foundations of Information
Security
This file is meant for personal use by yovan7raja@gmail.com only.

Sharing or publishing the contents in part or full is liable for legal action.
Agenda
✔CIA triad
✔Overview of cyber space
✔Risk management
✔Motives behind attacks
yovan7raja@gmail.com
FCQDU25HIV
✔Need for security

✔Attack surface management
✔Security - A team sport

CIA Triad
Confidentiality
FCQDU25HIV
Integrity Availability

Confidentiality
• Ensure the secrecy of data, objects or resources.
• Only the authorized entity can access or read the data, objects
or resources.
• If confidentiality is compromised, disclosure happens.

FCQDU25HIV

Confidentiality
Facebook Security Breach exposes accounts of

nearly 50 million users
FCQDU25HIV

Integrity
• Protects the reliability & correctness of data.
• Only the authorized entity can alter the data, objects &
resources.
• If integrity is compromised, alteration happens.

FCQDU25HIV

Integrity
Alert (A22-057A)
▪ Destructive malware targeting organizations in Ukraine

Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed
FCQDU25HIV destructivemalware against organizations in Ukraine to destroy computer systems and
render them inoperable.
• On January 15, 2022, the Microsoft Threat Intelligence Center (MSTIC) disclosed that
malware, known as WhisperGate, was being used to target organizations in Ukraine.
• According to Microsoft, WhisperGate is intended to be destructive and is designed to

render targeted devices inoperable.
• On February 23, 2022, several cybersecurity researchers disclosed that malware known as
HermeticWiper was being used against organizations in Ukraine.
• According to SentinelLabs, the malware targets Windows devices, manipulating the master
boot record, which results in subsequent boot failure.
Availability
• Ensures that authorized subjects are granted timely and

uninterrupted access to data and systems.
• Data, objects and resources are available to authorized subjects.
• If availability is compromised, It can result in Destruction/Denial.

FCQDU25HIV

Availability
Amazon Web Services Outage Affects Netflix, Reddit,

And More Websites
FCQDU25HIV

Availability
Global outage with 6 hours of WhatsApp,

Facebook, Instagram down
FCQDU25HIV

FCQDU25HIV
Overview of Cyber Space

The beginning of The Internet
Tim Berners-Lee, a British scientist, invented

the World Wide Web (WWW) in 1989, while
working at CERN. The web was originally
conceived and developed to meet the
demand for automated information-sharing
between scientists in universities and
FCQDU25HIV
institutes around the world.

Cyber Space 2022
• The image represents the internet backbone.
• The Internet backbone may be defined by the principal data routes between large,
strategically interconnected computer networks and core routers of the Internet.
• According to an internet report 278.1 Exabytes transmitted per month in 2022.

FCQDU25HIV

Cyber Space 2022
• Cyberspace is a concept describing a widespread interconnected digital technology.
Data Centers
Global Cloud
Cloud
yovan7raja@gmail.com Infra
FCQDU25HIV
Cyber Space
Global CERT Space

Team Satellites
Critical
Infrastructure

Cyber Space 2022
Online
FCQDU25HIV Rights
Data
Privacy
Cyber
Security

Emergency Response Teams
A computer emergency response team (CERT) is a group of cyber security experts responsible for handling
computer security incidents. Alternative names for such groups include computer emergency readiness
team and computer security incident response team (CSIRT). A more modern representation of the CSIRT
acronym is Cyber Security Incident Response Team.
CERT teams of a few countries

FCQDU25HIV

FCQDU25HIV
Risk Management

Introduction to Risk Management
Threats
FCQDU25HIV
Risk
Vulnerabilities

Threats
FCQDU25HIV
External factors that threaten the CIA of data

Vulnerability
FCQDU25HIV
A weakness in the system

Defining Risk
Risk
The potential for damage when a threat exploits a vulnerability.
FCQDU25HIV
Risk = Threat x Vulnerability

Examples of Risks
Ransomware
Cyberattacks Data leaks

FCQDU25HIV
Insider threats Phishing
Malware
Risk Analysis
Risk Level = Probability X Impact
FCQDU25HIV
• How likely is the threat to

Probability
materialize?
• What kind of damage it can do if

Impact
the threat materializes?

Types of Risk
Compliance Risk Cyber Risk

• Information Security
• Regulatory requirements
• Data Privacy/Protection
• Theft/Crime, Dispute Risk
• Cybersecurity
• Breach report compliance
Legal Risks
Strategic Risk
• Jurisdiction of Law
FCQDU25HIV
• Service Delivery Risk • Terms and Conditions of a
• Mergers and Acquisition Risk contract
• Intellectual Property Risk • Intellectual Property Risk
Third Party Risk Concentration Risk
• Supplier Concentration
• Cybersecurity • Industry Concentration
• Compliance • Geographic Concentration
• Operational Risk • Operational Risk

Defining Risk Management
Risk Management is the process of identifying, analyzing, assessing, mitigating or transferring risk.
Risk is the effect of uncertainty on

objectives.
FCQDU25HIV
The possibility of damage or harm

and the likelihood that damage of
harm will be realized.

Risk Management Framework
Integration
Improvement
FCQDU25HIV Design
Leadership &
Commitment
Evaluation Implementation
Risk Management
• Identify & valuate • Qualitative

assets • Quantitative
• Identify threats &
vulnerabilities
Risk Risk
Assessment Analysis
FCQDU25HIV
Ongoing Risk
Risk Mitigation
Monitoring / Response
• Reduce / Avoid
• Continuous Risk
• Transfer
Monitoring
• Accept / Reject

Qualitative Analysis
• Subjective in nature
• Uses words like “High”, “Medium” “Low” to describe the probability of the threat.
Probability (Likelihood)
FCQDU25HIV
Impact (Consequence)

Quantitative Analysis
• Experience in Risk analysis is required.
• Involves calculating risk in numerical values.
• Assigns a dollar value with each risk event.
• Business Decisions are made on this type of analysis.

•
FCQDU25HIV
Uses words like “High”, “Medium” “Low” to describe the probability of the threat.
• While doing a cost/benefit analysis, this is a must.

Generic Risk Model with Key Risk Factors
Threat Source Initiates Threat Event Exploits Vulnerability
FCQDU25HIV
Causing
Organizational Adverse
Producing
Risk Impact

4 ways of Risk Treatment
Accept
FCQDU25HIV
Transfer
Avoid
Mitigate

Residual Risk
• Refers to the risk remaining after all other known threats have been treated.
FCQDU25HIV
Residual Risk

Risk Register
• Risk register is a log of historic and newly identified risks.

• Contains risk metadata about all the risks related to an organization.
• Also contains information about the severity of each of the risks.
• Focal point of evidence that the organization is actively managing the risks.
• Can be stored as
FCQDU25HIV
– Excel Spreadsheet
– Database
– Governance risk and compliance tools

Sources of Information for Risk Register
Security
Incident
Internal Threat
Audit Intelligence
FCQDU25HIV Vulnerability Industry
Assessment Development
Risk New Laws

Risk
and
Assessment Register Regulations

FCQDU25HIV
Types of Cyber Attacks

10 most common Cyber Attacks
Ransomware DoS & DDOS Phishing
Man in the Cross Site

yovan7raja@gmail.com SQL Injection
FCQDU25HIV Middle Attack Scripting
More on these in module 2
DNS Tunneling Drive by Attack Cryptojacking
IoT Based Attacks

Cyber Crime
• Any act against the law in which, a computer or communication device or computer network is
used to commit or facilitate the commission of a cyber crime.
• US Department of State Diplomatic Security Service has issued a reward of 10 Million for
information on Russian GRU officers and hackers
• The hackers have been named in a poster created about this.
FCQDU25HIV
Cyber Crime Price (in USD)
Product
SMS Spoofing 20/Month
Phishing Kit 20-200
Custom Spyware 200
Hacker-on-Hire 200+
Zero-Day in iOS 250,000
Cyber Crime
• Computer crime happens when

– Computer is a target;
6.9 Billion USD Lost in
– Computer is a tool for the crime. Cybercrimes in 2021
Source: FBI
• Examples:
– Committing fraud
FCQDU25HIV
– Illegal trafficking
– DDOS as a service
– Identity theft
– Privacy violation

Cyber Crime - National concern
FCQDU25HIV

FCQDU25HIV
Motives behind attacks

Motives behind attacks
• Financial gain
• Organized crime
• Hacktivism
• Extortion
• Competitive advantage
FCQDU25HIV

Profile of a Hacker
A black hat hacker

• > 90% male
Hacker Profile
People • >80% under 30
behind • started at young age
FCQDU25HIVattacks
A call center • well educated
providing “Crime as • do NOT come from low socio-
a Service” economical background

Motivation of a Hacker
I analyze people (…), In the end, human
hacking works the same way that Never underestimate the role of ego,
computer hacking works. You always challenge and thrill-seeking in
look for vulnerabilities, (…) and try to cybercrime.
exploit them.
FCQDU25HIV
Challenge
Espionage
Money

Hacking Techniques
Amateurs hack systems, professionals hack people” – Bruce Schneier
FCQDU25HIV
Misdirection Sympathy Authority

• They hack • They gain • Use an
you while your authority
telling you sympathy by face / name
that you have showing an / brand /
been hacked. angelic face. logo

Building defenses
There are only 2 types Awareness is the key!

• Team, I don’t care.
FCQDU25HIV of companies
• It won’t hit us.
• Companies that
have been hacked.
• We are too small or
not interesting
• Companies that will
enough.
be attacked.

FCQDU25HIV
Need for Security

What is an Attack Surface?
Total possible entry points for an attacker to compromise a company:

Third Party Vendors Cloud Presence
Autonomous System Numbers

(ASN) Web Servers
FCQDU25HIV Web Frameworks
IP Address
(PHP,Apache etc)
Your Company
Domains NetFlow
SSL Certificates Internet Ports
WHOIS Records

Monitoring the Attack Surface
• An organization would get a Risk Score based on the findings in the attack surface monitoring tool.
• The score is a synonym of the credit score that an individual has.
• Higher the score, better the security of the organization.
• Monitoring the score of you and your vendors is critical for a safe security posture.
FCQDU25HIV

FCQDU25HIV
Security - A Team Sport

Collaboration is the Key
FCQDU25HIV

Summary
In this session, we discussed about:
✔CIA Triad - The DNA of cyber security
✔Primary task of security professionals is to reduce the risks to the enterprise
✔Risk management and treatment

FCQDU25HIV
✔Cyber space & cyber crime
✔Motives behind attacks
✔Attack surface management
✔Security being a team sport.


Fundamentals of Information Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fundamentals of Information Security

Uploaded by

Copyright:

Available Formats

yovan7raja@gmail.

This file is meant for personal use by yovan7raja@gmail.com only.

✔Need for security

This file is meant for personal use by yovan7raja@gmail.com only.

This file is meant for personal use by yovan7raja@gmail.com only.

• Ensure the secrecy of data, objects or resources.

• If confidentiality is compromised, disclosure happens.

This file is meant for personal use by yovan7raja@gmail.com only.

Facebook Security Breach exposes accounts of

This file is meant for personal use by yovan7raja@gmail.com only.

• Protects the reliability & correctness of data.

• If integrity is compromised, alteration happens.

This file is meant for personal use by yovan7raja@gmail.com only.

▪ Destructive malware targeting organizations in Ukraine

• According to Microsoft, WhisperGate is intended to be destructive and is designed to

• Ensures that authorized subjects are granted timely and

• Data, objects and resources are available to authorized subjects.

• If availability is compromised, It can result in Destruction/Denial.

This file is meant for personal use by yovan7raja@gmail.com only.

Amazon Web Services Outage Affects Netflix, Reddit,

This file is meant for personal use by yovan7raja@gmail.com only.

Global outage with 6 hours of WhatsApp,

This file is meant for personal use by yovan7raja@gmail.com only.

This file is meant for personal use by yovan7raja@gmail.com only.

Tim Berners-Lee, a British scientist, invented

This file is meant for personal use by yovan7raja@gmail.com only.

• The image represents the internet backbone.

• According to an internet report 278.1 Exabytes transmitted per month in 2022.

This file is meant for personal use by yovan7raja@gmail.com only.

• Cyberspace is a concept describing a widespread interconnected digital technology.

Global CERT Space

This file is meant for personal use by yovan7raja@gmail.com only.

This file is meant for personal use by yovan7raja@gmail.com only.

CERT teams of a few countries

This file is meant for personal use by yovan7raja@gmail.com only.

This file is meant for personal use by yovan7raja@gmail.com only.

This file is meant for personal use by yovan7raja@gmail.com only.

This file is meant for personal use by yovan7raja@gmail.com only.

This file is meant for personal use by yovan7raja@gmail.com only.

Risk = Threat x Vulnerability

This file is meant for personal use by yovan7raja@gmail.com only.

Cyberattacks Data leaks

Insider threats Phishing

Risk Level = Probability X Impact

• How likely is the threat to

• What kind of damage it can do if

This file is meant for personal use by yovan7raja@gmail.com only.

Compliance Risk Cyber Risk

This file is meant for personal use by yovan7raja@gmail.com only.

Risk is the effect of uncertainty on

The possibility of damage or harm

This file is meant for personal use by yovan7raja@gmail.com only.

• Identify & valuate • Qualitative

This file is meant for personal use by yovan7raja@gmail.com only.

This file is meant for personal use by yovan7raja@gmail.com only.

• Involves calculating risk in numerical values.

• Assigns a dollar value with each risk event.

• Business Decisions are made on this type of analysis.

• While doing a cost/benefit analysis, this is a must.

This file is meant for personal use by yovan7raja@gmail.com only.

Threat Source Initiates Threat Event Exploits Vulnerability

This file is meant for personal use by yovan7raja@gmail.com only.