Cybersecurity concepts & Defense best practises

Cybersecurity Concept
&
Defense best practices
Presented by
Wajahat Iqbal
B.E(Computer Science),ISO 27001 LI,ISO 22301 LI

Cybersecurity
Concept & Framework

Definition
Cybersecurity Domain is a collection of best
practices,Technologies,Frameworks & Standards to
protect an enterprise,organization ,Govt
entities,Military establishment,Individual user from
global cyber threats(Theft Identity,Cybertheft,Cyber-
ransom,Infrastructure damage) resulting in either
Financial,Economical,Copyright Information,Personal
identity,Infrastructure loss.
3

Major Cybersecurity standards
 NIST Cybersecurity Framework (De-facto standard)
 ISO 27001 (Information Security Management
Framework)
 ISACA COBIT5
 NIST SP800-53
 NIST SP800-30
 ISA 62443
 ISO 27005
The Cybersecurity standards were first adopted in the Seoul (South Korea) Conference on
Global Cybersecurity in 2013
4

Cybersecurity holistic view
 Manage physical access to IT Infrastructure
 Manage sensitive documents and output Devices
 Monitor the Infrastructure for security related Events
 Protect against Malware (*** Most challenging )
 Manage Network and Connectivity security
 Manage User Identity and logical access
 Protect critical and vital Infrastructure (Banks,Vital
Industrial installations,IT,Nuclear power,Dams,Defense)
5

Cybersecurity Lifecycle
The Cybersecurity Lifecycle can be described aptly by the
below (Figure-1) which decomposes the various stages .
6
(1) Identify
Business
outcomes
(2)Understand
Vulnerabilities
Threats
(3)Create
current profile
(4)Conduct Risk
assessments
(5)Apply
Controls
(6)Create
Target profile
(7)Determine/
prioritize gaps
(8)Implement
plan
(9)Report to
stakeholders
(10)Continuous
monitoring
Cyber security Lifecycle

Risk actions
7
Risk Actions: The most generally accepted Actions on
Risk Management Cycle are:
(1) Risk Acceptance
(2) Risk Transfer
(3) Risk Avoidance
(4) Risk Mitigation – Most practised action
Depending on Risk Appetite/Risk Tolerance threshold
of an Organisation
These are drawn from the ISO 27001 Standard for ISMS
which is the most widely used and accepted standard
on IT Security involving Risk Management processes

Threat to Cyberdefense
9
The damage caused by threats to Cyberdefense can be
characterized by loss of “Confidentiality, Integrity or
availability (CIA)”, the basic model of Data Security as
practiced in ISO27001/27002 and other globally accepted
standards

Hackers profile
The different type of Hackers are:
 Individual Hacker
 State Sponsored (With Political & Military Agenda)
 Cyber Criminals (Organised Mafia)
10

Hacker Kill Chain
The USA Aeronautics Major Lockheed Martin – Kill Chain
methodology describes seven steps from reconnaissance
through actions on the objectives and recommends defenses
be designed to align with each of the seven steps in the process
below:
11

Summary of Kill Chain
 Reconnaissance:
 Finding the Host,Internet Website,Domain
 Do IP Address Scan of the Business Domain
 Do Port Scan of the Active hosts
 Automated scanning by Botnets (Compromised
Systems)
 Locate Network Topology and identify potential
access control Devices
12

Summary of Kill Chain(Cont’d)
 Weaponization:
 Identify the Vulnerability
 Initiate the Attack
 Coupling a remote access Trojan(RAT) with an
Exploit into a deliverable payload,typically by means
of an automated tool (The commonly used
weaponizer are Adobe PDF and Microsoft Office
documents)
 Delivery:
 Transmission of Weapon to the targeted environment
 Three most prevalent delivery vectors for weaponzied
payloads are – Emails,Compromised Web Sites & USB
removal media
13

Summary of Kill Chain (Cont’d)
 Exploitation:
 Email,Website &USB explore a Vulnerability on
launch and Hacket gets remote access to admin Shell
 Exploitation targets Operating System or Application
vulnerability
 Installation:
 Install Malware(Malicious Code) into Memory,Disk
or Operating System Kernel,modify windows
registry,modify Unix Kernel
 Allow installation of remote access Trojan or
backdoor on the victim system
14

Summary of Kill Chain (Cont’d)
 Command & Control (C2):
 Compromised system/hosts beacon back to the Master
Controller to establish C2 Channel
 Hacker gains complete control of the compromised system
 Intruders have “hands on the keyboard” access to the
targeted environment
 Action:
 This Activity is data exfiltration that involves
collecting,encrypting and extraction information (e,g
Deface Website,Steal Credit Card Information,Steal
Copyright Information,Steal IE passwords,Modify Banking
websites,Steal medical records) etc
15

BOTNET Attack(Automated)
These days professional Hackers,Malware developers,Cyber
Criminals work in tandem to develop automated Tools to
initiate a Cyber Attack against the intended victim/host.The
mechanism is to install remote access Trojan(RAT) on
compromised system(BOTNETS) which could number in
thousands and then initiate the attack in phases as shown in
Figure- 2 (next page)
Key Components of a BOTNET Attack:
 BOTNET Construction Kit
 Command & Control Capability
 Remote Access Trojan(RAT)
 Custom developed Malware(Malicious Code) for the
intended Victim/Host
(Example BOTNET Attacks - ZEUS,CITADEL,GO ZEUS) 16

BOTNET Attack(Automated)
These
17

SOC -
CYBERSECURITY
ARCHITECTURE

SOC Components
Lately SOC has become an integral part of any
Organisation to protect itself from Cyber attacks and
detect/correct/recover from a Cyber Incident in the
quickest span of time without further damage to its
reputation. The critical components of a SOC are:
 IDS/IPS Infrastructure
 Firewall Infrastructure
 SIEM (Security Information and Event Monitoring
System)
 Logging and Alerting mechanism
 Security Incident Processes
 Forensics capability
 User Training & Retention
 Managing Evidence 23

SOC Individual Process Layers
24

Cybersecurity Architecture
25
• Network Security
• Identity,Authentication and Access Management
• Data Protection and Cryptography
• Monitoring Vulnerability & Patch Management
• High Availablity,Disaster Recovery & Physical
protection
• Asset Management & Supply Chain
• Policy,Audit,E-Discover & Training
• Systems Adminstration
• Application Security
• Endpoint,Server & Device Security
Cybersecurity
Architecture
The Cyber Architecture consists of the following components:

Defense in Depth(DOD)
This is the most common practice employed by
Organisation to create and implement a multilayered
approach to Cybersecurity.It is described by the following
process (Figure-3) and can be implemented at various
layers of the Network Infrastructure
26
.

9 Basic steps of Cybersecurity
These are the guidelines to follow while drawing up a
comprehensive Cybersecurity program in an Organisation
 #1 : Explore the Legislation and other requirements
 #2: Define the Business benefits and get top Management
support (Very Important)
 #3: Setting the Cybersecurity requirements
 #4: Choosing the framework for Cybersecurity Implementation
 #5:Organizing the Implementation(Setting up Teams,PM
Resources,Project Charter,Budget etc)
 #6: Risk Assessment & Mitigation (Applying Controls)
 #7: Implementation of Controls
 #8: Training & Awareness
 #9: Continuous Monitoring and Checks
and Reporting to Senior Management (C Level Executives)
27

Cybersecurity operational processes
To maintain an effective Cybersecurity posture,the CISO
should maintain a number of enterprise operational
processes to include the following:
 Policies and Policies Exception Management
 Project and Change Security Reviews
 Risk Management
 Control Management
 Auditing and Deficiency Tracking
 Asset Inventory and audit
 Change Control
 Configuration Management Database Re-Certification
 Supplier reviews and Risk assessments
28

Cybersecurity operational processes
 CyberIntrusion Response
 All-Hazards Emergency preparedness Exercises
 Vulnerability Scanning,Tracking & Management
 Patch Management & Deployment
 Security Monitoring
 Password and Key Management
 Account and Access periodic Re-Certification
 Privileged Account activity Audit
29

SANS TOP 20
CRITICAL SECURITY CONTROLS

SANS top 20 Controls
These are widely established critical controls to maintain a
healthy Network security posture
31

Incident Process & Management
33

NETWORK PERIMETER SECURITY
(BEST PRACTISES)

Network perimeter best security practises
 Restrict use of administrative utilities(e,g Microsoft Management
Console)
 Use secure File permission system i.e NTFS & UFS File System
 Manage Users properly especially the Admin Accounts on Unix &
Windows machines
 Perform Effective Group Management for – Admin,Print,Power,Server
operator & Normal Users in Windows 2000 O.S
 Enforce strong password policy,password aging for Users
 Enable Windows O.S and Unix O.S logging facility
 Eliminate unnecessary Accounts (especially the Employee’s who
have left the Organisation)
 Disable Resource sharing service and remove hidden administrative
shares – C$,ADMIN$,WIN NT$ in older version of Windows O.S
 Disable unneeded Service in Unix – Telnet,Finger ,tftp,NTP(Network
Time protocol)
 Applications should use the latest Security patches in Production
Environment
35

 Enforce using NAT(Network Address Translation) & PAT(Port Address
Translation) in internal Network (Firewalls & Routers)
 Enable DNS Spoofing,DOS Attacks (Smurf & Direct Broadcast
Attacks) mitigation policies on Gateway Routers via ACL and Cisco IOS
 Enforce Best Industry practice of secure Application Coding to
mitigate “Buffer Overflow” Vulnerability in the Memory
 Enforce strong password policy,password aging,lockout policy for
Application Databases (Oracle,Sybase)
 Install latest O.S and Application patches as soon they are available
from Vendors
 Install latest Security patches for Browsers,Flash Players,Microsoft
Applications
 Update the Anti-Virus & IDS/IPS /HIDS Signatures on frequent basis
 Update the Business Continuity/DR Plan and keep latest backup of all
critical Servers
36

 Update and Install latest Security patches for Application
Gateways(Proxies),Web Filltering Devices,Firewalls
 Check the Logs daily on Firewalls,IPS/IDS,HIDS for any Security
Incident triggered by any malicious Activity
 Implement Industry Best practices to secure the Network (NIST
Guidelines,SANS 20 Critical Security Controls,NSA Guidelines etc)
 Place the Mission Critical Web Servers (User Interface) on a Screened
Subnet,DMZ and the backend Application Server & Oracle Database
Server in the internal Network
 Change the Default Password of SNMP Community string on Network
Devices
37

NETWORK PERIMETER SECURITY
(CASE STUDY)

CASE STUDY – Cyber attack secure design
39

Design Features:
 Border Router:A Gateway Router connects the network to the
Internet and provides basic Filtering through ACL(Access
Control Lists) on Ingress & Egress Interfaces
 Just behind the Gateway Router is Stateful Inspection Firewall
that enforces the majority of access control of the network
 Public services and private services have been separated by
putting them on different network segments (DMZ,Corporate &
Screened Subnet)
 Split DNS is being used on public DNS Server and it provides
Name resolution for public services only
 Intrusion Detection Systems(IDS) are located on the
public,private,network perimeter end points to watch for
unusual activity
 The Front end Application Web server is on the Screened Subnet
and the backed Oracle DB Server is behind the Internal Firewall
40

 Host based IDS(HIDS) complement the Network by adding
additional layer of security and are placed on the individual
mission critical servers(Anti-Virus,Email Proxy,Web
Proxy,Internal Email Server,Oracle DB Server) to monitor the
systems network activity,log files,Files Systems Integrity and
User actions.A host based IDS will also detect and generate an
alarm when it detects escalation of privileges for a Guest user to
Admin Account
 Host based IDS can help detect attacks that network IDS evasion
techniques
 Host based IDS is also useful for correlating attacks picked up by
Network sensors
 All security log entries are sent to the SIEM(Security Information
and Event Monitoring System) for Data Analysis and
Forensics.The SIEM generates an Alert when suspicious activity
is detected
 For the Remote Office users all their Laptops are installed with
Personal Firewalls to mitigate/detect Hacker entry through
backdoor channels
41

 All configuration of security devices is performed from the
management console
 Additionally one can install TACACS,RADIUS Servers to monitor
Users access on the Gateway Router and other mission critical
Servers
The sample Rule base configured for the above Network
Design on the Stateful Inspection Firewall can be as follows
(Illustrative purpose only): Next page
42

43

CONCLUSION
Conclusion Note:
The process to securing and making a perfect “Digital
World” is a ongoing continuous Journey ,and with ever
changing Modus operandi of the Hackers and the Cyber
Criminals globally,we always have to be one step forward in
the race to protect our Digital Assets,Intellectual
property,Identity,Infrastructure.
Thank You
(Wajahat Iqbal)
44

Disclaimer Note:
This is Copyright Material © of Wajahat Iqbal
(2016) and the Information shown is collected
from Internet repositories and any typo, error,
omission is regretted on behalf of Author.The
Author does not hold any responsibility or
liability for the incorrectness of the Information
shared.This technical presentation can be
shared/Printed/Distributed keeping in view that
Credit is given rightly to the Author.
Contact E-Mail: Wajahat_Iqbal@Yahoo.com
LinkedIn: http://www.linkedin.com/in/wiqbal
45

Cybersecurity concepts & Defense best practises

More Related Content

What's hot

Viewers also liked

Similar to Cybersecurity concepts & Defense best practises

Recently uploaded

Cybersecurity concepts & Defense best practises