UGANDA CHRISTIAN UNIVERSITY- MUKONO

BIT3
CYBER SECURITY AND DIGITAL
FORENSICS

Prepared by
Rebecca Kushemererwa(CISA,CISM,MPAM,PGD.INFOsec,BCE)
CYBER SECURITY,IT AUDIT & RISK MANAGEMENT CONSULTANT
0701550031- kushbeckyle@gmail.com
 CYBER SECURITY-INTRODUCTION
• Most people, and by extension most organizations, are afraid of crime. A person
may be worried that he will be mugged on the street or that his house may be
burgled. In the last few years, the threat of cybercrime has become quite well
publicized.

Cybercrime means committing a crime using a computer system.

• -For example, a cracker may gain access to a computer and steal data files from
it.

• - a fraudster may use a fake webstore to steal credit card details.

• Computer security,cyber security,IT security is the protection of computer

systems and networks from info. Disclosure,theft or damage to their
hardware,software or electronic data as well as from the disruption or
misdirection of the services they provide.
 CONT’D
• While people may be aware of cybercrime, they may not know precisely how to
deal with it effectively.
For example, a person may not know that if he sends credit card details in an
email they become relatively easy to steal and misuse.
For an organization, its use of computer systems and internet technologies might
have expanded considerably in the last few years.
While the organization may be concerned about security, in many cases it will not
have created an effective policy to deal with that concern.
 CONTINUED……….

• An organisation may implement security procedures in one area but not

another, like a homeowner with an impressive range of locks and alarms on the
front door who leaves a bathroom window open at the back of the house when
he goes to work.
• Too many organizations think of security in terms of fitting locks on doors,
configuring computer security accounts, or installing anti-virus and firewall
software. While these are important, the people who use data and equipment
are of greater significance. One essential problem for an organization to tackle is
that its employees may not be sufficiently aware of the risks to security to take
appropriate action as they complete their work.
 CONT’D……

• An organization needs to train each of its employees, so that they

are alert and sensitive to security, without becoming so cautious that
they cannot do their jobs.
 ASSETS
• Security is not an end in itself; businesses do not make money by being secure.
Rather, security protects the assets of a company.
• Assets are usually classified in the following ways:
■ Tangible assets - these are physical items, such as buildings, furniture,
computer equipment, software licenses, machinery, inventory (stock), and so on.
■ Intangible assets - these are mostly information resources, including
Intellectual Property (IP), accounting information, plans and designs, and so on.
Intangible assets also include things like a company's reputation and image or
brand.
■ Employees - it is a commonplace to describe an organization's staff (sometimes
 CONT’D
• Most assets have a specific value associated with them (the market value), which
is the price that could be obtained if the asset were to be offered for sale.
In terms of security however, assets must be valued according to the liabilities that
the loss or damage of the asset would create:
■ Business continuity - this refers to an organization's ability to recover from
incidents (any malicious or accidental breach of security is an incident).
■ Legal - these are responsibilities in civil and criminal law.
Security incidents could make an organization liable to prosecution (criminal law)
or for damages (civil law). An organization may also be liable to professional
standards and codes.
 WHY IS DATA IMPORTANT?

• It is important to recognize what pieces of information are important. For

example, the plans for an automobile manufacturer's new model are obviously
vital and must be kept confidential.
Another information may be important in less obvious ways. If an attacker obtains
a company's organization chart, showing who works for whom, the attacker has
found out a great deal about that organization and may be able to use that
information to gain more.
 CONT’D……
• Data can be essential to many different business functions:
• ■ Product development, production, and maintenance.
• ■ Customer contact information.
• ■ Financial operations and controls (collection and payment of debts, payroll,
tax, financial reporting).
• ■ Legal obligations to maintain accurate records for a given period.
• ■ Contractual obligations to third parties (Service Level Agreements).
 THE CIA TRIAD

• Information is valuable to thieves and vulnerable to damage or loss. Data may be

vulnerable because of the way it is stored, the way it is transferred, or both.
■ Data used by an organization is stored in paper files, on computer disks and
devices, and in the minds of its employees.
■ Data may be transferred in the post, by fax, by telephone, or over a computer
network (by file transfer, email, text messaging, or website). Data can also be
transferred in conversation.
 CIA
• Secure information has three properties, often referred to by the "CIA Triad":
■ Confidentiality - this means that certain information should only be known to
certain people.
■ Integrity - this means that the data is stored and transferred as intended and that
any modification is authorized.
■ Availability - this means that information is accessible to those authorized to view
or modify it.
The triad can also be referred to as "AIC", to avoid confusion with the Central
Intelligence Agency. It is important to recognize that information must be available.
You could seal some records in a safe and bury the safe in concrete; the records would
be secure, but completely inaccessible and for most purposes, completely useless .
 NON-REPUDIATION
• Some security models and researchers identify other properties that secure
systems should exhibit. The most important of these is non-repudiation.
• Nonrepudiation means that a subject cannot deny doing something, such as
creating, modifying, or sending a resource.
• Forexample,an individual can’t deny he sent a particular email and the receiver
cant deny receiving it(read about digital signatures)
 SECURITY POLICY
• The implementation of a security policy might be very different for a school, a
multinational accountancy firm, or a machine tool manufacturer.
However each of these organizations, or any other organization (in any sector of
the economy, whether profit-making or non-profit-making) should have the same
interest in ensuring that its employees, equipment, and data are secure against
attack or damage.
 SECURITY POLICY PROCESS

• 1) The first step in establishing a security policy is to obtain genuine support and commitment for such a
policy throughout the organization especially Top management or board
• 2) The next step is to analyze risks to security within the organization. Risks are components, processes,
situations, or events that could cause the loss, damage, destruction, or theft of data or materials.
• 3) Having identified risks, the next step is to implement controls that detect and prevent losses and
procedures that enable the organization to recover from losses (or other disasters) with a minimum of
interruption to business continuity.
• 4) The "final" step in the process is to review, test, and update procedures continually. An organization must
ensure continued compliance with its security policy and the relevance of that policy to new and changing
risks.
 ROLES AND RESPONSIBILITIES

• As part of this process, employees must be aware of their responsibilities with

regard to security.
The structure of security responsibilities will depend on the size and hierarchy in
place in an organization, but these roles are typical:
■ Overall internal responsibility for security might be allocated to a Director of
Security or Chief Information Security Officer (CISO), with the Chief Information
Officer (CIO) / Chief Technology Officer (CTO) or Finance Director.
■ Managers may have responsibility for a particular area; such as building control,
ICT, or accounting
 ROLES…………..
• ■ Technical staff may have responsibility for implementing, maintaining, and
monitoring the policy. One notable job role is that of Information Systems
Security Officer (ISSO).
• ■ Non-technical staff have the responsibility of complying with policy and with
any relevant legislation.
• ■ External responsibility for security (due care or liability) lies mainly with
directors or owners, though again it is important to note that all employees share
some measure of responsibility.
 AN INFORMATION SECURITY
PROFESSIONAL
• Security professionals working in a security role must be competent in a widerange of
disciplines, from network and application design, through to procurement and HR. The following
activities might be typical of such a role:
■ Participate in risk assessments and testing of security systems, and make recommendations.
■ Specify, source, install, and configure secure devices and software.
■ Set up and maintain document access control and user privilege profiles.
■ Monitor audit logs and review user privileges and document access controls.
■ Manage security-related incident reporting and response.
■ Create and test business continuity and disaster recovery plans and procedures
 SECURITY CONTROLS
• A security control (or countermeasure) is something designed to make a particular asset or information
system secure (that is, give it the properties of confidentiality, integrity, availability, and non-
repudiation).
Give examples
• IDS/IPS
• Firewalls
• Anti-virus
• Biometrics
• Locks
• Policy
• Access control
• Digital signitures
 CONTROL TYPES…
The concept of security controls is best defined in FIPS 200 and NIST Special
Publication 800-53 (Recommended Security Controls for Federal Information
Systems and Organizations).
One of the objectives of these documents is to classify different types of security
control.
They do so by identifying security controls as belonging in one of 18 families,
such as Access Control (AC), Audit and Accountability (AA), Incident Response
(IR), or Risk Assessment (RA), which describe the basic functions of the controls.
Furthermore, each family is assigned to a class, based on the dominant
characteristics of the controls included in that family. The classes identified by
NIST are:
 SECURITY CONTROLS(CLASSES)……..

Technical - the control is implemented as a system (hardware, software, or firmware). For

example, firewalls, anti-virus software, and OS access control models are technical controls.
■ Operational / administrative - the control is implemented primarily by people rather than
systems. For example, security guards and training programs are operational controls rather than
technical controls.
■ Management - the control gives oversight of the information system. Examples could include
risk identification or a tool allowing the evaluation and selection of other security controls.
 CLASSES…….
OPERTIONAL CLASS
•Awareness and training
•-Configuration Management
•-Contingency Planning
•-Incident Response
•-Maintenance
•- Media Protection
•-Physical and Environmental Protection
•-personnel security
•-system and info integrity
 CLASSES….

 TECHNICAL CLASS

 Access control
• Audit and accountability
• Dentification and Authentication
• System and Communications Protection

• Technical - controls implemented in operating systems, software, and hardware devices

 CLASSES…..
• MANAGEMENT CLASS/administrative

• Security Assessment and Authorization

• Planning
• Risk Assessment Management
• System and Services Acquisition
• Program Management
• Policies
Administrative - controls that determine the way people act, including policies, procedures, and guidance.
 CONTROLS….

• Whether administrative or technical, controls can also be classified according to the goal or
function of the control in a simpler schema than the families identified by NIST.
• ■ Preventive - the control physically or logically restricts unauthorized access. A directive can
be thought of as an administrative version of a preventive control. (IPS-give more examples)
• ■ Deterrent - the control may not physically or logically prevent access, but psychologically
discourages an attacker from attempting an intrusion. (audit trails,logs,penalties- give more
examples)
• ■ Detective - the control may not prevent or deter access, but it will identify and record any
attempted or successful intrusion(IDS- give more examples
 CONTROLS….

• Corrective - the control responds to and fixes an incident and may also prevent
its reoccurrence. Eg IPS,anti virus,patches,OS hardening
• ■ Compensating - the control does not prevent the attack but restores the
function of the system through some other means, such as using data backup or
an alternative site.
 QUESTIONS??????????

• End of lecture one