CR300 – Introduction to

cybersecurity
Introductions and asset security

CR300EN – Asset security 1

Course Outline
• Introduction
– VIA eLearning

• Course description
• Why does cybersecurity matter?
• Security objectives
• Definitions
• Risks and threats

CR300 - Security des active 2

VIA eLearning
Interaction Guidelines:
●
Ask your questions and post your comments in the
chat window.
●
Use a microphone or a webcam.
● Update your status if you are not present Mute
● your microphone when not speaking.

CR300 - Active Security 3

Who am I?
• Philip Veilleux, Madm, CISSP, CRISC, CISA, CISM
• Business information officer at National Bank of Canada
• Started in IT in 1994 as a Solaris Sysadmin, in Security in 1998 as a firewall
admin and in the Finance industry since 2008, 22 years of Infosec
• Polytechnique : CR300E (First Class)
• Background is very technical, network and infrastructure.
• Complex IT transactional system problem resolution

CR300 – Asset Security 4

Contact information
• Email: [email protected]

• Availability:
• Online 15-30 minutes before and after the day’s lecture.
• Through email anytime
(I reply as soon as possible, usually within 24 hours)

CR300 – Asset Security 5

Course version
• Original version, Mickael Emirkanian, 2016.
• Revision by Cyrille Aubergier, 2017.
• Updated by Cyrille Aubergier, Frédéric Buteau-Tremblay, 2018
• Translated by Frédéric Buteau-Tremblay, 2018
• Minor updates, Christian Schreiber, 2019
• Minor updates, Philip Veilleux, 2020

CR300 – Asset Security 6

Course content
• Sections:
1. Cybersecurity fundamentals
2. Assets security
3. Cryptography (3 sessions)
4. Network and communications security
5. Identity management and access control
6. Application security and software development (2 sessions)
7. Security architecture and threat modelling
8. Security assurance, validation and testing
9. Incident management and investigations, operations security and business
continuity planning
10. Ethics and privacy
CR300 – Asset security 7
Rules
• Aucune forme de fraude, plagiat, tricherie ne sera tolérée (article 9 from the “règlements
pédagogiques des certificats”
http://www.polymtl.ca/sg/docs_officiels/2420reglement.php#p9).
• Translation: No kind of fraud, plagiarism or cheating will be tolerated

• Toute absence à un examen ou retard dans la remise du travail de session devra être justifié
au Bureau des affaires académiques (article 15 from the “règlements pédagogiques des
certificats” http://www.polymtl.ca/sg/docs_officiels/2420reglement.php#p15).
• Translation: Any absence for an exam or being late handing the semester’s assignment must
be justified to the academic bureau.

• The student must honour the agreement made by signing the code of conduct.

CR300 – Asset Security 8

Evaluation
• 2 homework assignments (2 x 15%)
• 1 semester assignment (30%)
• 1 final exam (40%)

CR300 – Asset Security 9

Homework
• Two homework assignments to do in addition to the weekly lectures.
• In two parts: theory (Moodle quiz) and practice (exercise)
• The quizzes are limited in time but are open book.
• Rules for being late handing in the exercises: 10% penalty per day for
three days, then refused after three days.
• Due dates:
• Homework Assignment #1 : February 12th, 2020
• Homework Assignment #2 : March 11th, 2020

CR300 – Asset Security 10

Semester’s assignment
• Case study and practical exercise
• Individual work
To hand in on or before March 25th, 2020
• Rules for handing in the assignment late: 10% penalty per day
for the 3 first days, then refused after 3 days.

CR300 -Asset security 11

Final exam
• Wednesday, April 22nd, 2020 (To be confirmed)
• Online
• Covers all topics discussed during the semester (lectures,
assignments, homework).
• Open book exam.

– Choose group 1 (Wednesday) to do the exam in Montreal

– Choose group 11 (Wednesday) to do the exam in Ste-Foy, Québec.

CR300 – Asset Security 12

Survey
●
3 minutes : 3 questions to tell us about yourselves
- Your Professional Status
- Your Experience
- What you’d like to get out of the class

CR300 – Asset security 13

Course Outline
• Introduction
– VIA eLearning

• Course description
• Why does cybersecurity matter?
• Security objectives
• Definitions
• Risks and threats

CR300 – Assets security 14

Distributed systems ubiquity
• Cloud computing
• Mobility
• Internet of things (IOT)
• Thermostats
• Camera surveillance
• Fridges
• Industrial controls
• Nuclear sites
• Embedded systems
• Planes
• Cars

CR300 – Assets Security 15

Examples of security breaches
• Financial Data
• Desjardins, Capital One, Target, Home Depot, Wendy’s, Panama Papers, McDonald’s
Canada, Uber, Equifax, …

• Passwords and personal data

• Capital One, Equifax, Yahoo(500M+1000M), Adobe, LinkedIn(100M),
AdultFriendFinder(339M) Dropbox(68M), MySpace(427M), tumblr (65M)
• haveibeenpwned.com
●
Transportation
• Jeep
F-Secure/intel Security/Mandiant/IBM/ Cyber security Report 2017
CR300 -Assets Security 16
Financial data
• Target (2013)
• 40M credit and debit cards
• Home Depot (2014)
• 56M credit and debit cards
• Wendy's (2016)
• 1025 Wendy’s locations point of sale’s data.

• The current trend is now personal data theft

CR300 – Assets security 17

Money
• Financial data theft
• Ransomware: Files taken as hostages (encrypted or deleted) for
ransom
• Victims:
• Small, medium, or large enterprises
• Governments, hospitals, police precincts
• Bitcoin currency theft
• MtGox (850,000BTC = $620M)
• Bitfinex (120,000BTC = $70M)

CR300 – Assets security 18

Notable breaches – 2018 Edition

CR300 – Assets security 19

 Source www.le-vpn.com

CR300 – Assets security 20

Different threats
• Different threats according to different capabilities:
• Organized crime
• Nation-state
• Script kiddies

Attack types:

CR300 – Assets security 21

Different threats
Goals:

CR300 -Assets Security 22

The Internet is a war zone
• Spying, sabotage, advanced persistent threats (APT):
• Stuxnet, Duku, Project Sauron, Babar,
●
Governments are channelling a lot of money into cybersecurity
• For attacking and for defending
●
Wars and cyberwars are now linked together (Georgia, Ukraine …).

CR300 – Assets Security 23

Cybersecurity is constantly evolving
• New vulnerabilities appear daily but some threats have been the
same for the last 30 years (social engineering, viruses, bugs inside
software, etc.).

• It’s of the utmost importance to stay current in the field

• Newsletters / twitter
• Blogs
• Whitepapers from the principal actors in the security field

CR300 -Assets Security 24

Other courses in the certificate program
(French only)
• CR330 Audit Internet et conformité
• CR350: Réseautique et sécurité
• CR410: Gestion des identités et des accès
• CR440: Sécurité applicative
• CR340: Détection et réponses aux incidents
• CR470: Tests d’intrusion
• CR490: Cryptographie appliquée
•…
http://www.polymtl.ca/etudes/certificats/cheminement/cybersecurite.php
CR300 – Assets security 24
Course outline
• Introduction
– VIA eLearning

• Course description
• Why cybersecurity matters?
• Security objectives
• Definitions
• Risks and threats

CR300 – Security Assets 25

What is security ?
• A situation in which something is not exposed to any danger, any risk, […] of
theft, of deterioration (Larousse)

– The absence or limitation of risks in a precise domain.

• Security of information:
• Protection information: protection of systems that
• use
• store
• transmit these pieces of information
• Covers: software, management policies, education and technology

CR300 – Asset security 27

How to manage security?
• The security of systems must be:
• A part of the enterprise’s mission
• Must represent an acceptable/sufficient cost
• Under the responsibility of a group
• Audited regularly
• Designed according to legal factors according to regulatory standards
• Designed according to human factors

• But what is the first mission of an enterprise?

CR300 – Asset security 28

Security is a business need
• Ensures business continuity
• Permits the secure operation of information management systems
• Protects the information assets throughout the organization
• Data
• Systems
• Clients

CR300 – Assets Security 29

Security of information systems
• Understanding each element of an information system:
• Hardware, software
• Software libraries, data, people and processes

• A system can be the subject or the object of an attack:

• Object: The system is receiving an attack
• Subject: The system conducts an attack

CR300 – Assets Security 30

Security objectives of information systems

• Confidentiality: Data can be accessed only by authorized people; any

other access is prohibited

• Integrity: Data cannot be altered or corrupted in a illicit fashion: the

data must remain exact and complete

• Availability: The system must work without errors and insure the
access of services, without degradation.

CR300 -Asset Security 31

Security of information objectives

• Authentication: Validates the identity of an individual or of a system.

• The identification enables the knowledge of an identity, the authentication
verifies the identity
• Authorization: Validates the privileges and accesses of an individual
or a system.
• Audit (accounting, traces or proofs): All the accesses and operations
are traced and these traces are stored in case of inquiry or in need of
validation.
• Non-repudiation and imputation: A user or a system cannot deny an
action or operation that has been made: the actions cannot be
attributed to any other user. 31
CR300 – Assets security
Course outline
• Introduction
– VIA eLearning

• Course description
• Why cybersecurity matters?
• Security objectives
• Definitions
• Risks and threats

CR300 – Assets security 32

Asset
Preserve the confidentiality, integrity and availability of assets

• Informational asset: document or data (stored on paper or electronic

media)
• Computational asset: Any computer system or telecommunication
system that:
• Enables manipulation, transformation, transmission, reception and storage of
informational assets

CR300 – Assets Security 34

Errors and vulnerabilities
• An error (or a software bug) is defined as a state which a computer or software system has
not been designed for, but has entered regardless. This can be caused by:
• Neglect
• Errors in development
• Bad data
• Hardware failure
• A vulnerability or weakness: a weakness in a computer or software system affecting
normal behaviour
• Usually comes from software bugs
• Enables an attacker to exploit a system
• Trick an application
• Extract data
• Execute commands
• Avoid access controls

CR300 – Assets Security 35

Threat
• A threat is the level of probability that a vulnerability be exploited
• Threat agent/actor: Individuals that can be a threat to a system or an
organization
• Threat management: Audit and validation of information systems, but
also identification of potential threats
• Threat hunting: seeking threats that could potentially evade controls

CR300 – Assets Security 36

Threats categories
• Spoofing: a user or a system passing for a user or a system that it is not
• Tampering: A user or system capable of modifying a message or data without
being authorized to do so, and thus without other users or systems knowing.
• Repudiation: A user capable of denying their actions.
• Information disclosure: Information is distributed to individuals without
having the rights to access it.
• Denial of service: Degradation or disruption, partially or completely, of a
service.
• Privilege escalation: A system is capable of obtaining more permissions
(right, privileges) than it could obtain previously.

CR300 – Asset security 36

Risk
• The intersection of the assets, vulnerabilities and threats
• A risk is the potential of loss, destruction or modification of an asset
and is the result of a threat exploiting a vulnerability
• Unlawful use, loss, damage, destruction, disclosure or modification of assets
for profit or the interests of other individuals or groups.
• Many kinds of risks can apply:
• Computational or information risks
• Human risks
• Physical risks
• Legal risks

CR300 – Assets Security 37

Course outline
• Introduction
– VIA eLearning

• Course description
• Why cybersecurity matters?
• Security objectives
• Definitions
• Risks and threats

CR300 - Assets security 38

Computer threats
• Malware:
• Virus: can replicate and propagate
• Worm: can replicate and propagate inside a network, without the assistance of a human
• Trojan: malware that looks legitimate
• Backdoor: Enables unapproved access to a system remotely
• Spyware: Enables the collection of personal information, data or actions made on a
system
• Keylogger: Collects every keyboard character typed by users on a system
• Rootkit: Enables the acquisition of administrative rights and privileges on a system
• Logic bomb: Executes malicious functions under specific conditions or environments.
• Ransomware: Takes personal data as hostage using encryption

CR300 – Asset Security 39

Virus
• Can replicate and propagate
• Ex: ILOVEYOU (2000)

CR300 -Assets Security 40

Spyware examples

Gh0st rat
sub7
CR300 – Assets Security 41
Other spyware examples

FinFisher FinSpy

CR300 -Assets Security 42

Ransomware

CR300 - Active Security 43

Computer threats
• Network threats:
• Sniffing: Collecting communications or information during transit
• Spoofing: Faking being another system or user
• Hijacking: Enabling the acquisition of control over a system (can be applied on multiple levels)
• Man-in-the-middle: A kind of spoofing where the attacker finds himself, in a persistent manner,
between a user and another user or service, and intercepts/forge communication and data.
• Denial of service DoS: Sending messages causing a degradation or interruption of service, or a
delay in service
• Botnet: Being part of an army consisting of systems and controlled by a master
• Spam: Undesirable emails or messages potentially vectors of other attacks
• Hardware or software outages

CR300 – Assets security 44

 Human risks

• Human error

• Phishing: malicious message of legitimate appearance, asking the

victim to
disclose personal information.
Social engineering: Obtaining fraudulently information about a victim
through psychological manipulation
• Espionage, sabotage, vandalism or theft (Insider Threat): Deliberate
attack from a legitimate user.

CR300 – Assets Security 46

Physical and Legal risks
• Physical risks:
• Intrusion
• Theft our hardware alteration
• Physical damages
• Natural hazard (fire, earthquake, power outage, meteorites)

• Legal risks: laws governing information systems throughout the world

• User data protection
• Private life protection

CR300 – Assets Security 47

 Exploit, breach, compromise
• An exploit, creates a breach and compromises the system
• Procedure or software code enabling the exploitation of a vulnerability:
• Through the network or locally
• Afterwards the attacker can make operations that were previously impossible:
• Taking control of a computer or a network
• Access to data
• There are many types
• Buffer/heap overflow
• SQL injection
• Cross-site-scripting (XSS)
• Code injection
•…
• Knowns or unknowns (0-day)
CR300 – Assets Security 48
Control
• A security control reduces the risk of threats over the assets
• A control can be:
• Preventative: make sure mistakes cannot be introduced
• Detective: Seek and find errors
• Corrective: correct errors when they happen
• Compensative: balance an error with something compensatory
• Dissuasive: dissuade an adversary

CR300 – Assets Security 49

Policies and mechanisms
• A security policy lists the rules of what can be done or not
• By an asset or a user
• Ex: each user must authenticate before accessing the web site
• A security mechanism is the method, tool or procedure
enforcing security by implementing a security policy
• Ex: HTTP authentication for a site

CR300 – Assets security 50

Assumptions and trust
• Trust is the basis of security:
• Some assumptions are made but rarely validated:
• Software libraries
• Operating systems
• Cryptographic Algorithms
• Firmware: network cards/ video cards / CPU ...

• Where to stop?
• It depends on the level of trust or assurance you are looking for.

CR300 – Asset Security 50

Assets Management
• Assurance enable the assets risk management by making measurements
of trust in an asset’s security.
• It is a repeatable process enabling quantification of an asset’s security,
and validating the proper workings of policies and security mechanisms:
• Enumeration/classification
• Risk analysis
• Assets risk management
• Evaluations and audits
• Many assurance guides and standards: RiskIT, CobiT, PCI DSS, ISO 27002

CR300 – Assets Security 52

Information systems lifecycle
• A specification: defining, formally or informally what a system can or cannot
do:
• The business requirements
• A design: accepting the specifications if and only if the design does not permit
the system of violating the required specifications:
• Technologies enabling the business requirements
• The implementation: creating a system that satisfies the design, itself
satisfying specifications:
• Software components and processes implementing the design
• The maintenance: the necessary tasks supporting the system for the rest of its
life.
CR300 – Assets Security 53
Where to implement security?
Source: https://www.microsoft.com/en-us/SDL/about/benefits.aspx
• Security must be implemented at each lifecycle step
• The mitigation costs of a bug increase exponentially:

CR300 - Active Security 53

Security balance
• It’s impossible to achieve “total security”:
• Security is not binary as “secure” or “not-secure”
• It’s a continuous process
• Balance between protection and availability:
• Insuring the proper operations while implementing protection against threats
• Also an economy balance:
• The value of the assets and the costs necessary for securing those assets
• The value of the assets for an adversary and his capabilities
• Ex: DDoS

CR300 – Assets security 54

Security balance
• Trust, but verify
• Secure today does not mean secure tomorrow
• Complexity is often the enemy of security
• Understanding technologies and what is at stake:
• Risks, vulnerabilities …
• The business environment

CR300 – Assets Security 56

Next session
Risk Management

Any questions ?

CR300 – Assets Security 57