SlideShare a Scribd company logo

Cyber Security # Lec 5

Download as PPTX, PDF
Kabul Education University
Kabul Education University

A series of Cyber security lecture notes.......................... (Endpoint, Server, and Device Security), (Identity, Authentication, and Access Management) (Data Protection and Cryptography)

1 of 29
Lec-5: Cyber Security Mr. Islahuddin Jalal MS (Cyber Security) – UKM Malaysia Research Title – 3C-CSIRT Model for Afghanistan BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬
Enterprise Cybersecurity Architecture • There are 11 functional areas which needs to be organized and managed enterprise cybersecurity 1. System administration 2. Network Security 3. Application Security 4. Endpoint, Server, and Device Security 5. Identity, Authentication, and Access Management 6. Data Protection and Cryptography 7. Monitoring, vulnerability and patch management 8. High availability, Disaster recovery, and Physical Protection 9. Incident Response 10. Asset Management and supply chain 11. Policy, Audit, E-Discovery and Training
Outlines to be discussed…… Today • Endpoint, Server, and Device Security • Identity, Authentication, and Access Management • Data Protection and Cryptography
Endpoint, Server and Device Security
Endpoint, Server, and Device Security • Involves protecting endpoint computing devices • Personal computers • Servers • Mobile devices From Attack and Detecting when those endpoint have been breached…
Number of compromised endpoints will never be zero Reasons are in next slides….
Reasons…… • Heterogeneous enterprise environments may also have different operating systems and hardware platforms to deal with as well. As a result, each environment has its own specific quirks and vulnerabilities • Many of an enterprise’s endpoints may be outside of its control and belong to enterprise partners, customers, and consumers.
Solutions…………….. • An enterprise needs to consider the security of these devices in terms of its overall risk analysis and consider how to compensate for their potential vulnerabilities through other means and protections.
Goals and Objectives • Goals • Preventing attackers from taking administrative control of computing devices • Detect attempts to maliciously use these devices • Facilitate investigation of incidents when compromised of systems or data are suspected • Objectives • To make the endpoint, server and devices harder to compromise • To alert the enterprise on malicious software and attempt to exploit the OS • To log device activities securely • To analyze logs to identify malicious activity
E, S, DS: Threat Vectors • Viruses proliferate across the Internet, exploiting operating system vulnerabilities to pass from machine to machine. This problem continues to be prevalent due to unpatched vulnerabilities (that is, not keeping up-to-date with latest security patches), particularly in application software that may not be centrally managed. • Deliberate attackers exploit vulnerabilities in enterprise software products or operating systems, or even leverage zero-day exploits to take control of targeted computers.
Continued…… • Advanced attackers obtain administrator credentials within an enterprise and then use those credentials to install malware and “backdoors” (in other words, unauthorized access pathways) on systems so that they can control them. This attack is challenging to defend against because it uses the same systems administration channels that the enterprise relies on for central control. • Particularly on mobile devices, malware is embedded in software applications available through legitimate software stores and installed by unsuspecting users. This threat vector is particularly effective on mobile devices, but it will likely become more common as the application store paradigm becomes commonplace.
E, S, DS: Capabilities • Local administrator privilege restrictions • Computer security and logging policies • Endpoint and media encryption • Computer access controls • Forensic imaging support for investigations • Virtual desktop/thin clients • Mobile Device Management (MDM) • Anti-virus/anti-malware • Application whitelisting • In-memory malware detection • Host firewall and intrusion detection • “Gold code” software images • Security Technical Implementation Guides (STIGs) • Always-on Virtual Private Networking (VPN) • File integrity and change monitoring
Identity, Authentication, and Access Management
Identity, Authentication, and Access Management • Identity, authentication, and identity management supports all other security functional areas by providing answers to the following questions: • Who is accessing enterprise IT systems? • How are they identified? • What can they access once they are authenticated?
Continued….. • When systems are isolated on corporate networks. • Expected that all who have access to corporate networks be cleared and authorized in some way • When systems are connected the internet • Then connection becomes a tremendous problem • Billions of people are literally “one click and a password” away from accessing enterprise systems
•This reality is where identity management and solid authentication mechanisms become critical to successful cyberdefense.
Continued………. • Identity Mgmt. helps to ensure that accounts and accesses are provisioned, de-provisioned and periodically re-certified according to enterprise policies. • Authentication helps to ensure that appropriate technologies are used to positively identify users who are accessing enterprise systems so that there is a high level of confidence that the people are who they say they are. • Access Mgmt. helps to ensure that privileges on enterprise systems are provisioned and de-provisioned according to “least privilege” methodologies, and users do not have privileges that exceed their roles in the enterprise.
I,A,A: Goal • To ensure that only authorized people can access resources in the enterprise
I, A, A: Objectives • Preventive objective: To make it harder for attackers to gain access to enterprise resources by impersonating legitimate users, granting themselves inappropriate permissions, or using accounts that should not have been available to them. • Detective objective: To alert the enterprise on credential or permission abuse within the enterprise and to identify when accounts are being attacked or have been compromised. • Forensic objective: To log account activity, including the full life cycle associated with accounts, permissions, and logon activities. These logs can then be data- mined and correlated with other enterprise events to identify attack patterns. • Audit objective: Involves analyzing logs to create artifacts and gather evidence that accounts and permissions are not being abused. applications.
I, A, A: Threat Vectors • Attackers use or abuse accounts that are no longer used or maintained, but have not actually been removed from the enterprise. • Attackers obtain credentials to legitimate accounts and then use those accounts to gain entry to the enterprise. Once that entry is obtained, attackers escalate their privileges by exploiting vulnerabilities in endpoints, applications, or networks. • Attackers exploit weak authentication methods or protocols to impersonate legitimate users and use their credentials over the network. • Attackers leverage weaknesses in privilege management to take regular user accounts and grant them administrative or other super-user privileges within the enterprise.
I, A, A: Capabilities • Identity life cycle management • Enterprise directory • Multi-factor authentication • Privilege management and access control • Identity and access audit trail and reporting • Lightweight Directory Access Protocol (LDAP) • Kerberos, RADIUS, 802.1x • Federated authentication • Security Assertion Markup Language (SAML)
Data Protection and Cryptography
Data Protection and Cryptography • Very important cyber security functional Area. • To protect data in rest and in transit • Cryptography provides both
Data Protection and Cryptography: Goal • To protect the confidentiality and integrity of data using such techniques as encryption and digital signatures.
Data Protection and Cryptography: Objectives • Preventive objective: Involves protecting the confidentiality and integrity of enterprise data by using cryptographic technologies. The effectiveness of these technologies generally revolves around the algorithms they use and the protection they provide for the cryptographic keys. • Detective objective: Involves monitoring enterprise cryptographic use to detect weak cryptography or cryptographic breaches when they occur. • Forensic objective: Involves tracking the cryptography used in the enterprise and logging what algorithms and keys are used where to support later investigations. • Audit objective: Involves collecting information on the cryptography and keys that are used and their strengths, and ensuring that they meet the enterprise requirements for strength and protection.
Data Protection and Cryptography: Threat Vectors • Attackers use encrypted web sessions either into or out of an enterprise to control computers on the inside so that those sessions are more difficult to monitor. • Attackers encrypt enterprise data and then demand that a ransom be paid in order to get the keys to decrypt the data. • Attackers crack weak cryptography to steal credentials, intercept encrypted sessions, or read encrypted data. • Attackers use brute force to compromise passwords that have been encoded using weak cryptography. • Attackers steal the keys to strong cryptography if those keys have not been well- protected. • Attackers use “code signing” certificates to make malware appear to be a legitimate application or device driver. • Attackers steal data at rest or in-transit while it is unencrypted, either through theapplication itself or at other vulnerable points in time.
Data Protection and Cryptography: Capabilities • Secure Sockets layer (SSL) and Transport Layer Security (TLS) • Digital certificates (Public Key Infrastructure [PKI]) • Key hardware protection (Smart cards, Trusted Platform Modules [TPMs], and Hardware Security Modules [HSMs]) • One-Time Password (OTP) and Out-of-Band (OOB) authentication • Key life cycle management (including key rotation) • Digital signatures • Complex passwords • Data encryption and tokenization • Brute force attack detection • Digital Rights Management (DRM)
Continued………. Next Lecture 1. Monitoring, vulnerability and patch management 2. High availability, Disaster recovery, and Physical Protection 3. Incident Response 4. Asset Management and supply chain 5. Policy, Audit, E-Discovery and Training
Thank You For Your Patience

More Related Content

Cyber Security # Lec 5

  • 1. Lec-5: Cyber Security Mr. Islahuddin Jalal MS (Cyber Security) – UKM Malaysia Research Title – 3C-CSIRT Model for Afghanistan BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬
  • 2. Enterprise Cybersecurity Architecture • There are 11 functional areas which needs to be organized and managed enterprise cybersecurity 1. System administration 2. Network Security 3. Application Security 4. Endpoint, Server, and Device Security 5. Identity, Authentication, and Access Management 6. Data Protection and Cryptography 7. Monitoring, vulnerability and patch management 8. High availability, Disaster recovery, and Physical Protection 9. Incident Response 10. Asset Management and supply chain 11. Policy, Audit, E-Discovery and Training
  • 3. Outlines to be discussed…… Today • Endpoint, Server, and Device Security • Identity, Authentication, and Access Management • Data Protection and Cryptography
  • 4. Endpoint, Server and Device Security
  • 5. Endpoint, Server, and Device Security • Involves protecting endpoint computing devices • Personal computers • Servers • Mobile devices From Attack and Detecting when those endpoint have been breached…
  • 6. Number of compromised endpoints will never be zero Reasons are in next slides….
  • 7. Reasons…… • Heterogeneous enterprise environments may also have different operating systems and hardware platforms to deal with as well. As a result, each environment has its own specific quirks and vulnerabilities • Many of an enterprise’s endpoints may be outside of its control and belong to enterprise partners, customers, and consumers.
  • 8. Solutions…………….. • An enterprise needs to consider the security of these devices in terms of its overall risk analysis and consider how to compensate for their potential vulnerabilities through other means and protections.
  • 9. Goals and Objectives • Goals • Preventing attackers from taking administrative control of computing devices • Detect attempts to maliciously use these devices • Facilitate investigation of incidents when compromised of systems or data are suspected • Objectives • To make the endpoint, server and devices harder to compromise • To alert the enterprise on malicious software and attempt to exploit the OS • To log device activities securely • To analyze logs to identify malicious activity
  • 10. E, S, DS: Threat Vectors • Viruses proliferate across the Internet, exploiting operating system vulnerabilities to pass from machine to machine. This problem continues to be prevalent due to unpatched vulnerabilities (that is, not keeping up-to-date with latest security patches), particularly in application software that may not be centrally managed. • Deliberate attackers exploit vulnerabilities in enterprise software products or operating systems, or even leverage zero-day exploits to take control of targeted computers.
  • 11. Continued…… • Advanced attackers obtain administrator credentials within an enterprise and then use those credentials to install malware and “backdoors” (in other words, unauthorized access pathways) on systems so that they can control them. This attack is challenging to defend against because it uses the same systems administration channels that the enterprise relies on for central control. • Particularly on mobile devices, malware is embedded in software applications available through legitimate software stores and installed by unsuspecting users. This threat vector is particularly effective on mobile devices, but it will likely become more common as the application store paradigm becomes commonplace.
  • 12. E, S, DS: Capabilities • Local administrator privilege restrictions • Computer security and logging policies • Endpoint and media encryption • Computer access controls • Forensic imaging support for investigations • Virtual desktop/thin clients • Mobile Device Management (MDM) • Anti-virus/anti-malware • Application whitelisting • In-memory malware detection • Host firewall and intrusion detection • “Gold code” software images • Security Technical Implementation Guides (STIGs) • Always-on Virtual Private Networking (VPN) • File integrity and change monitoring
  • 13. Identity, Authentication, and Access Management
  • 14. Identity, Authentication, and Access Management • Identity, authentication, and identity management supports all other security functional areas by providing answers to the following questions: • Who is accessing enterprise IT systems? • How are they identified? • What can they access once they are authenticated?
  • 15. Continued….. • When systems are isolated on corporate networks. • Expected that all who have access to corporate networks be cleared and authorized in some way • When systems are connected the internet • Then connection becomes a tremendous problem • Billions of people are literally “one click and a password” away from accessing enterprise systems
  • 16. •This reality is where identity management and solid authentication mechanisms become critical to successful cyberdefense.
  • 17. Continued………. • Identity Mgmt. helps to ensure that accounts and accesses are provisioned, de-provisioned and periodically re-certified according to enterprise policies. • Authentication helps to ensure that appropriate technologies are used to positively identify users who are accessing enterprise systems so that there is a high level of confidence that the people are who they say they are. • Access Mgmt. helps to ensure that privileges on enterprise systems are provisioned and de-provisioned according to “least privilege” methodologies, and users do not have privileges that exceed their roles in the enterprise.
  • 18. I,A,A: Goal • To ensure that only authorized people can access resources in the enterprise
  • 19. I, A, A: Objectives • Preventive objective: To make it harder for attackers to gain access to enterprise resources by impersonating legitimate users, granting themselves inappropriate permissions, or using accounts that should not have been available to them. • Detective objective: To alert the enterprise on credential or permission abuse within the enterprise and to identify when accounts are being attacked or have been compromised. • Forensic objective: To log account activity, including the full life cycle associated with accounts, permissions, and logon activities. These logs can then be data- mined and correlated with other enterprise events to identify attack patterns. • Audit objective: Involves analyzing logs to create artifacts and gather evidence that accounts and permissions are not being abused. applications.
  • 20. I, A, A: Threat Vectors • Attackers use or abuse accounts that are no longer used or maintained, but have not actually been removed from the enterprise. • Attackers obtain credentials to legitimate accounts and then use those accounts to gain entry to the enterprise. Once that entry is obtained, attackers escalate their privileges by exploiting vulnerabilities in endpoints, applications, or networks. • Attackers exploit weak authentication methods or protocols to impersonate legitimate users and use their credentials over the network. • Attackers leverage weaknesses in privilege management to take regular user accounts and grant them administrative or other super-user privileges within the enterprise.
  • 21. I, A, A: Capabilities • Identity life cycle management • Enterprise directory • Multi-factor authentication • Privilege management and access control • Identity and access audit trail and reporting • Lightweight Directory Access Protocol (LDAP) • Kerberos, RADIUS, 802.1x • Federated authentication • Security Assertion Markup Language (SAML)
  • 22. Data Protection and Cryptography
  • 23. Data Protection and Cryptography • Very important cyber security functional Area. • To protect data in rest and in transit • Cryptography provides both
  • 24. Data Protection and Cryptography: Goal • To protect the confidentiality and integrity of data using such techniques as encryption and digital signatures.
  • 25. Data Protection and Cryptography: Objectives • Preventive objective: Involves protecting the confidentiality and integrity of enterprise data by using cryptographic technologies. The effectiveness of these technologies generally revolves around the algorithms they use and the protection they provide for the cryptographic keys. • Detective objective: Involves monitoring enterprise cryptographic use to detect weak cryptography or cryptographic breaches when they occur. • Forensic objective: Involves tracking the cryptography used in the enterprise and logging what algorithms and keys are used where to support later investigations. • Audit objective: Involves collecting information on the cryptography and keys that are used and their strengths, and ensuring that they meet the enterprise requirements for strength and protection.
  • 26. Data Protection and Cryptography: Threat Vectors • Attackers use encrypted web sessions either into or out of an enterprise to control computers on the inside so that those sessions are more difficult to monitor. • Attackers encrypt enterprise data and then demand that a ransom be paid in order to get the keys to decrypt the data. • Attackers crack weak cryptography to steal credentials, intercept encrypted sessions, or read encrypted data. • Attackers use brute force to compromise passwords that have been encoded using weak cryptography. • Attackers steal the keys to strong cryptography if those keys have not been well- protected. • Attackers use “code signing” certificates to make malware appear to be a legitimate application or device driver. • Attackers steal data at rest or in-transit while it is unencrypted, either through theapplication itself or at other vulnerable points in time.
  • 27. Data Protection and Cryptography: Capabilities • Secure Sockets layer (SSL) and Transport Layer Security (TLS) • Digital certificates (Public Key Infrastructure [PKI]) • Key hardware protection (Smart cards, Trusted Platform Modules [TPMs], and Hardware Security Modules [HSMs]) • One-Time Password (OTP) and Out-of-Band (OOB) authentication • Key life cycle management (including key rotation) • Digital signatures • Complex passwords • Data encryption and tokenization • Brute force attack detection • Digital Rights Management (DRM)
  • 28. Continued………. Next Lecture 1. Monitoring, vulnerability and patch management 2. High availability, Disaster recovery, and Physical Protection 3. Incident Response 4. Asset Management and supply chain 5. Policy, Audit, E-Discovery and Training
  • 29. Thank You For Your Patience

Editor's Notes

  1. E=Endpoing, S=Server, DS= Device security
  2. I: identity A: Authentication A: Acess
  3. federated identity: management system provides single access to multiple systems across different enterprises. Source SSO: allows a single authentication credential--user ID and password, smart card, one-time password token or a biometric device--to access multiple or different systems within a single organization LDAP:The Lightweight Directory Access Protocol (LDAP) is a directory serviceprotocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) standard that allows a user to log on once for affiliated but separate Web sites.