Cyber Security and Privacy

MS6880

Foundations of cyber security

Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
Components of Information Security

2
The CIA Triangle
} The C.I.A. triangle is made up of:

} Confidentiality

} Integrity

} Availability

} Over time the list of characteristics has expanded, but

these three remain central

} Identification, authentication and authorization are means

to ensure CIA
3
NSTISSC Security Model
National Security Telecommunications and Info Sys Security Committee
(McCumber cube)
Confidentiality
} Confidentiality of information ensures that only those
with sufficient privileges may access certain information
} In addition to cryptography, a number of measures may be
used for confidentiality, including:
} Information classification
} Secure document storage
} Application of general security policies
} Education of information custodians and end users
(Rivest, Shamir and Adleman, 1978)
Integrity

} Integrity is the quality or state of being whole,

complete, and uncorrupted

} The integrity of information is threatened when it is

exposed to corruption, damage, destruction, or other
disruption of its authentic state

} Corruption can occur while information is being

compiled, stored, or transmitted
Availability

} Availability is making information accessible to user

access without interference or obstruction in the
required format

} A user in this definition may be either a person or

another computer system

} Availability means availability to authorized users

Key Concepts of Information Security
} Identification

} Information systems possess the characteristic of identification

when they are able to recognize individual users

} Identification and authentication are essential to establishing

the level of access or authorization that an individual is granted
Key Concepts of Information Security
} Accountability

} The characteristic of accountability exists when a control

provides assurance that every activity undertaken can be
attributed to a named person or automated process
Target case questions (R4)
1. Identify: (i) Technological and (ii) Managerial
vulnerabilities that led to data breach at Target
2. Enumerate Target’s tangible costs vis-a-vis stakeholders
3. Identify intangible impact
} Shortly before Thanksgiving 2013, someone installed
malicious software (malware) on Target’s security and
payments system
} Designed to steal credit card data from the company’s
1,797 U.S. stores
} In theory, Target was prepared for the hack: six months
earlier, the company had begun installing a $1.6 million
malware detection tool designed to inform them of a data
breach.
Target’s security system
} State of the art technology for security
} Used the same security system. . .employed by the CIA, the
Pentagon, and other spy agencies around the world
} Had multiple layers of protection-five firewalls, malware
detection software, intrusion detection and prevention
capabilities, and data loss prevention tools
} Performed internal and external validation and
benchmarking assessments
} Complied with data security standards in the credit card
industry
What went wrong?
} Hackers gained access to Target’s system by stealing
credentials provided by the company to Fazio Mechanical
Services, a contractor that ran Target’s climate systems.
} Target failed to segment its network to ensure that
Fazio–—and other third parties–—did not have access to
its payment systems
} Hackers exploited a connection designed to let Fazio
exchange contract and project management information
with Target
} Used this connection to upload malware onto Target’s
systems, including its individual point-of-sale systems
The exploit
} The malware used by the hackers was programmed to
steal Target’s customer data at the point of sale
} While payment information is encrypted when it is sent
off to confirm a sale, it remains readable within the
system
} ‘RAM scrappers’ would copy customers’ card information
while it was still in the memory storage of Target’s POS
system
Impact
} What was the impact of the breach on Target?
} Customers and banks have filed more than 90 lawsuits
against Target
} Customers, credit card companies, banks..
} In numbers, Target’s profit for the 2013 holiday shopping
period fell 46% from the same quarter the year before
} In sentiment, Target lost the trust of its customers,
investors, and lenders.
Like the Titanic
} Target was warned repeatedly about the occurring
cyberattack.
} Target’s sophisticated security system could and should
have addressed the malware uploaded by the hackers, but
it failed to do so
} The system even had a function that would automatically
delete malware as soon as it was detected, but Target’s
security team had turned off that function
} Because it often halted email and Internet traffic by incorrectly
flagging data as malware

}
Captain Smith’s decisions
} Smith was not ignoring the ice warnings; he was simply
not reacting to them. Ice warnings were just warnings
that a ship sent saying that they had seen ice at a certain
location (Kasprzak, 2012).
} Smith made the decision to not slow down the ship even
though there were reports of ice (Barratt, 2010;
Wilkinson & Hamilton, 2011).
} The weather was calm and clear which gave no reason for
Smith to slow the ship down
} Captain Smith also decided to leave the bridge to attend a
dinner party
Only the paranoid survive
Added words to business vocabulary:
} “Inflection point”, “valley of death”, “10X force”
“I believe that the prime responsibility of a
Manager is to guard constantly against other
people’s attacks and to inculcate this guardian
attitude in the people under his or her
management”
“…I worry about factories not performing well, I worry about
having too many factories. I worry about hiring the right people,
and I worry about morale slacking off…”
--Andrew Grove, Former CEO, Intel Corporation
After effects
} Lesson on employee’s ability to circumvent security
} Move towards security management
} Watershed moment in cyber security regulation
} 52 laws related to data breach in the US, but no
comprehensive national regulation; not one yet!
} 0.1/72 for Target
“As long as the fines aren’t putting businesses into bankruptcy–—or
even serious financial peril, for that matter–—executives and boards are
free to decide they are better off investing the bare minimum in security
and saving the rest for possible breach costs and fines. “ (An industry
observer)
} Is cyber security a god-talk* or a real concern?
 Cyber Security and Privacy
MS6880

Governance, Risk and Compliance

Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
Major data breaches
Approaches to cyber security management
} Governance-Risk-Compliance (GRC) approach
} Dominant accounting/finance perspective
} Cyber security management as an internal control mechanism

} Standards driven approach

} NIST cyber security framework (open)
} ISO/IEC 27001 for information security (proprietary)

} Organizational planning approach

} Cyber security as a part of strategic planning and risk
management
} Contingency planning a constituent of the approach
 GRC approach: Control frameworks
Widespread accounting fraud in the late 90’s to early 2000
resulted in mandatory reforms to prevent fraud
} COBIT: Control Objectives of Information Related Technology
} Framework for IT control
} Specified by ISACA (Information Systems Audit and Control
Association)
} COSO: Committee of Sponsoring Organizations
} Framework for enterprise internal controls (control-based
approach)
} Specified by American Accounting Association and others
} COSO-ERM (Enterprise Risk Management)
} Expands COSO framework taking a risk-based approach
Internal controls
} Processes implemented to provide assurance that the
following objectives are achieved:
} Safeguard assets
} Maintain sufficient records
} Provide accurate and reliable information
} Prepare financial reports according to established criteria
} Promote and improve operational efficiency
} Encourage adherence with management policies
} Comply with laws and regulations
Functions of internal controls
} Preventive controls
} Deter problems from occurring
} Detective controls
} Discover problems that are not prevented
} Corrective controls
} Identify and correct problems; correct and recover from the
problems
COBIT framework
} Current framework version is COBIT 5
} Based on the following principles:
} Meeting stakeholder needs
} Covering the enterprise end-to-end
} Applying a single, integrated framework
} Enabling a holistic approach
} Separating governance from management
COBIT 5 Separates Governance from
Management
Components of COSO Frameworks

COSO COSO-ERM
} Control (internal) } Internal environment
environment } Objective setting
} Risk assessment } Event identification
} Control activities } Risk assessment
} Information and } Risk response
communication } Control activities
} Monitoring } Information and
communication
} Monitoring
Standards: ISO/IEC 17799:2005

} One of the most widely referenced and often discussed

security models is Information Technology – Code of
Practice for Information Security Management, which was
originally published as British Standard BS 7799
} The purpose is to establish “guidelines and general
principles for initiating, implementing, maintaining, and
improving information security management in an
organization”

Slide 11
ISO 27000 series
} ISO/IEC 17799:2005 has 133 possible controls, not all of
which must be used; part of the process is to identify
which are relevant
} Each section includes four categories of information:
} One or more objectives
} Controls relevant to the achievement of the objectives
} Implementation guidance
} Other information
} Renamed as ISO 27002 in 2007
} ISO 27001 provides guidelines on implementation (PDCA
format)

Slide 12
ISO politics
} Many countries, including the U.S., Germany, and Japan,
have not adopted the model, claiming it is fundamentally
flawed:
} The global InfoSec community has not defined any
justification for the code of practice identified
} The model lacks “the necessary measurement precision of a
technical standard”
} There is no reason to believe the model is more useful than
any other approach
} It is not as complete as other frameworks
} It is perceived as being hurriedly prepared, given the
tremendous impact that its adoption could have on industry
information security controls

Slide 15
NIST security models
} NIST documents have two notable advantages:
} They are publicly available at no charge
} Open source vs proprietary debate
} They have been available for some time and thus have been
broadly reviewed by government and industry professionals
} SP 800-12, Computer Security Handbook
} SP 800-14, Generally Accepted Security Principles & Practices
} SP 800-18, Guide for Developing Security Plans
} SP 800-26, Security Self-Assessment Guide-IT Systems
} SP 800-30, Risk Management for Information Technology Systems

Slide 16
SP 800-18: Guide for developing
security plans
} The NIST Special Publication 800-18 offers an approach
to policy management
} These policies are living documents that constantly
change and grow
} These documents must be properly disseminated
(distributed, read, understood, and agreed to) and
managed
} Good management practices for policy development and
maintenance make for a more resilient organization

Slide 17
Cyber Security and Privacy
MS6880

Regulation for Privacy

Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
 The Web (https://www.youtube.com/watch?v=UehilhnMt5Y)

} Welcome to the Hotel California

Such a lovely place (Such a lovely place)
Such a lovely face
They livin' it up at the Hotel California
What a nice surprise (what a nice surprise)
Bring your alibis
--------------------------------------------
Last thing I remember, I was
Running for the door
I had to find the passage back
To the place I was before
"Relax, " said the night man,
"We are programmed to receive.
You can check-out any time you like,
But you can never leave! 2"
“Shaadi”
} “With respect to Content you submit or make available for inclusion on
publicly accessible areas of the Site including but not limited to your
contact details, you hereby unconditionally and irrevocably grant to
Shaadi.com the license to use, distribute, reproduce, modify, adapt, publicly
perform and publicly display such Content on the Site and to Shaadi.com
Centre members from time to time.”

} By posting Content to any public area of Shaadi.com, you automatically

grant, and you represent and warrant that you have the right to grant, to
Shaadi.com, and other Shaadi.com Members, an irrevocable, perpetual, non-
exclusive, fully-paid, worldwide license to use, copy, perform, display, and
distribute such information and content and to prepare derivative works of,
or incorporate into other works, such information and content, and to
grant and authorize sublicenses of the foregoing.

4
Policy fine print
} It takes 76 working days to read and understand a typical
privacy policy (Luca & Bazerman, 2021)
} Field experiments generally do not require consent as it
leads to demand effect
} If you are in social media, you are an uninformed participant in
several behavioral experiments
But,
} Very few people want to be let alone. They want to
manipulate the world around them by selective disclosure
of facts about themselves (Posner, 1978)

} However, despite the complaints, it appears that

consumers freely provide personal data. … the ‘‘privacy
paradox’’ or the relationship between individuals’
intentions to disclose personal information and their
actual personal information disclosure behaviors (Norberg et
al., 2007)

6
Personal experience and privacy
} Co-creation of value: the imperatives
} Personalization
} Personally identifiable data
} Give identity, get privileges
} Orwell's surveillance society vs small town life

7
“Yes we have a right to privacy. But in this society we can’t
have a right to anonymity”
-Derek Smith, CEO, ChoicePoint

8
Right to anonymity?
Personal data
} Personal data is any information that relates to an identified or
identifiable living individual.
} Personal data that has been de-identified, encrypted
or pseudonymised but can be used to re-identify a person
remains personal data and falls within the scope of the GDPR.
Related words
} Anonymity: Anonymity is the ability to conceal a person’s
identity. individuals can choose to be totally anonymous,
pseudonymous, or identifiable.
} Secrecy: Secrecy has been defined as intentional
concealment of information. Privacy need not hide; and
secrecy hides far more than what is private
} Confidentiality: Concerns the externalization of restricted
but accurate information to a specific entity. British law
embraces privacy as confidentiality
} Security: protection of personal information with three
specific goals-integrity, authentication and confidentiality.
Anonymity
} Anonymity is the ability to conceal a person’s identity
} Central for the information collected for statistical
purposes, and use of IT
Privacy preserving data mining
} Anonymity exists when someone is acting in a way that
limits the availability of identifiers to others
} totally anonymous, pseudonymous*, or identifiable
} The goal of privacy preserving data mining is to develop
data mining methods without increasing the risk of
misuse of the data
} Randomization
} Anonymization
} Encryption
Randomization

} Data providers randomize their data and transmit the

randomized data to the data receiver
} The data receiver estimates the original distribution of
the data by employing a distribution reconstruction
algorithm
} If xi is the value of a sensitive attribute, xi +ei, rather than
xi , will appear in the database, where ei is a random noise
drawn from some distribution
 Anonymization
} k-anonymity model widely used (Sweeney, 2002)

} Uses suppression and generalization

Generalized
Suppressed
Generalization or suppression?
Limitations

} Problem: Linking multiple sources to profile

individuals/entities
} Utility of results
Risk vs. utility of data (R-U maps)
} An individual is concerned about one’s privacy (Westin, 1967)
} Personal freedom, autonomy, control, risk
} Business needs personal information for efficiency (Posner,
1981)
} Employer needs to select the right employee
} Relevant products to the right customer
} R-U map shows
the trade off
(Duncan et al., 2001)
Regulatory frameworks
} FIPP as the foundation (1973)
} OECD Guidelines (1980)
} 8 guidelines, including collection and accountability, transparency
} Defines data subject, data controller, data processor
} Safeguards cross boarder data transfer
} EU Data Protection Directive (1995)àGDPR (2018)
} Accountability
} FTC privacy principles (1998)
} 5 points of (i)notice/awareness, (ii)choice/consent,
(iii)access/participation, (iv)integrity/security, (v)enforcement/redress
} Collection not addressed
} APEC privacy framework
} Similar to OECD guidelines
Cyber Security and Privacy
MS6880

Privacy: The Indian way

Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
”No person in the country may be deprived of his
life or personal liberty except according to
procedure established by law”

(Article 21, Constitution of India)

Privacy in India: A quick glance
} British enacts the Indian Telegraph Act 1885
} Post the first war of independence (Indian mutiny), 1857–59
} Provided interceptive powers to government
} Post independence, Indian Govt instituted Post and Telegraph
(P&T), a department under its control
} Article 21 and the telegraph act continued together
} Telegraph act amended in 1972 to include the threat of
"incitement of offences"
} Wire tapping during emergency period legitimized by the amendment
} In 2018 SC declares privacy as a fundamental right
} Context: Aadhar act and government as a major data fiduciary
} Government proposes Personal Data Protection (PDP) Bill
alongside GDPR; drops it in 2022
} Proposes Digital Personal Data Protection (DPDT, 2022) Bill
In 2012, K S Puttaswamy, retired judge of Karnataka High
Court challenged Aaadhar in Supreme court trough a writ
petition
The right to be

} The right to privacy is a fundamental right. It is a right

which protects the inner sphere of the individual from
interference from both State, and non-State actors and allows
the individuals to make autonomous life choices.
The Supreme Court, August 24, 2017

} Then how can the government ask me to share my

biometric data to receive government benefits?
Nothing absolute
} "no person in the country may be deprived of his life or
personal liberty except according to procedure established by
law” (Article 21)
} An invasion of life or personal liberty must meet the
three-fold requirement of (i) legality, which postulates the
existence of law; (ii) need, defined in terms of a legitimate
state aim; and (iii) proportionality which ensures a
rational nexus between the objects and the means
adopted to achieve them;
} Is Aadhar according to the procedure established by the
law?
In the beginning
} Identity problem
} Obtaining an identity in India required one to produce another
identity
} 59% of Indians don’t have a birth certificate
} ID prohibited the poor from access to formal banking system
} Enabled corruption:
} When government gives 1 rupee, only 17 paisa reaches the intended
recipient (Rajiv Gandhi)
} Leakage of benefits
} The Aadhaar Act, 2016 states, "Every resident shall be entitled to obtain an aadhaar
number by submitting his demographic information and biometric information by
undergoing the process of enrolment."

The Act further defines residency as, "An individual who has resided in India for a
period or periods amounting in all to 182 days or more in the 12 months
immediately preceding the date of application for enrolment."
 Rebooting India*
} Other IDs function oriented,
not universal
} Aadhar not specific
to a function
} Not a substitute for passport

*Nandan Nilekani and Viral Shah, “Rebooting

India”, Penguin,2015
12 digits
} “Digital inclusion”
} World’s largest id system
} Uniqueness ensured
through 700 mn bn
comparisons
} Built as a platform
Being Machiavellian
It must be considered that there is nothing more difficult to carry
out, nor more doubtful of success, nor more dangerous to handle,
than to initiate a new order of things

--- Niccolo Machiavelli, The prince (1532)

(~ Chanakya, Arthashastra)
Aadhar security for privacy
‘Aadhaar biometric data is 100% secure’
“There is “ten foot wall” to protect Aadhaar data!”
---India’s cybersecurity chief, Gulshan Rai
Aadhar data architecture

AUA: Authentication User

Agency
ASA: Authentication Service
Agency
CIDR: Central Identities
Data Repository
Criticisms
} The government made Aadhaar essential (and then
relaxed) for all services including tax returns, opening
bank accounts and securing loans, pensions and cash
transfers for those entitled to welfare schemes.
} Critics say the Aadhaar identity card links enough data to
allow profiling because it creates a comprehensive profile
of a person's spending habits, their friends and
acquaintances, the property they own, and a trove of
other information.
} There are also fears the data could be misused by a
government that argues Indians have no right to privacy.
} Limitations of biometric, bald ridges
India Towards Privacy Regulation:
The Personal Data Protection (PDP) Bill
} MeitY Commissioned Justice B N Sri Krishna Commission
to propose a bill on personal data protection in July 2017
} TOR: “To unlock the data economy, while keeping data of
citizens secure and protected.”
} Recognizes the transformative potential of the digital
economy to improve lives in India and elsewhere
} The committee submitted the draft Personal Data
Protection (PDP) Bill in July 2018
} Cleared by the Union Cabinet Dec 2019
} Parliament referred it to a JPC in Dec 2019
} Government scraps the bill and proposes an alternative bill
(2022)
Stakeholders of personal data

“Data principal" “Data fiduciary" “Data processor"

DPDP Bill, 2022
} The latest draft of the data protection law — the Digital
Personal Data Protection Bill, 2022 (DPDP Bill, 2022) —
has now been made open for public comments.
} Out of the 22 clauses in the DPDP Bill, the Central
government has been provided with rule making power in
around 14 clauses.
A quick comparison
} Detailed PDP (14 chapters, 56 pages) vs concise DPDP (6
chapters, 24 pages)
} Addresses only personally identifiable data; non-personal
data data not addressed
} The right to be forgotten now under the right to erasure
} Right to be forgotten covers consent for data sharing
} Penalties much higher in DPDP, cap at ₹500 crore; penalty
applies to data principals also
} Dropped three tier classification of data in PDP (personal
data, critical personal data and sensitive personal data)
} In PDP the last two must be stored in India
Data localization
} Data localization means data about the citizens of a
country to be collected, processed, and/or stored inside
the country, often before being transferred internationally.
Also known as data residency/data sovereignty.

} How does this affect different stakeholders?

Cyber Security and Privacy
MS6880

Contingency Planning
Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
IT project at IVK
} The IT department of IVK proposed an upgrade of their
security infrastructure

} The steering committee responsible for prioritizing IT projects

of IVK rejected the proposal for two consecutive years

} Reason: No ROI
Security a low priority?
} Tangible drove out the significant!
} Poor articulation by IT dept
} Prioritization process issue
} Selective, convenient, political
Planning
} Planning is creating action steps toward goals and
then controlling them
} Provides direction for the organization’s future
} Allows managing resources
} Optimizes the use of the resources
} Coordinates the effort of independent organizational units

4
Security in planning
This nation should dedicate itself to
achieving the goal, before this decade
is out, of landing a man on the moon
and returning him safely to Earth.

--JFK: May 25,1961

5
Information security planning
Threats, Attack, Vulnerability, Risk
Precursors to planning
} Value Statement
Integrity, honesty, passion, and respectfulness are significant parts of
Microsoft’s corporate philosophy

} Vision Statement
A personal computer in every home running Microsoft software ([old]

} Mission Statement
Organize the world's information and make it universally accessible
and useful. [Google]
 Top-down strategic planning

Providing the highest quality

healthcare service in the industry
Strategic planning: Five or Providing high-level healthcare
more year focus info service in support of the
highest qual..
Tactical planning: One to
three year focus Ensuring that quality healthcare info
services are provided securely and
Operational planning in compliance with all local, state,
organizes ongoing,
day-to-day and national info processing, info
performance of tasks security and privacy regulations.

9
CISO job description

} Creates strategic information security plan with a vision

for the future of information security
} Understands fundamental business activities performed by
the company
} Suggests appropriate information security solutions that uniquely
protect these activities
} Improves status of information security by developing
} action plans
} schedules
} budgets
} status reports
} top management communications

10
What is contingency planning (CP)?
} The overall planning for unexpected events is called
contingency planning (CP).
} It is how organizational planners position their
organizations to prepare for, detect, react to, and recover
from events that threaten the security of information
resources and assets
} Main goal: restoration to normal modes of operation with
minimum cost and disruption to normal business
activities after an unexpected event
} Contingency Plan Management Committee (CPMT)
typically oversees the process

} Key open resource: Contingency planning guide for Federal information systems, NIST
Components of CP
Incident response planning (IRP) focuses on immediate
response

Disaster recovery planning (DRP) focuses on restoring

operations at the primary site after disasters occur

Business continuity planning (BCP) facilitates establishment

of operations at an alternate site
Business Impact
Analysis (BIA)
Business processes and recovery criticality
BIA starts with prioritization of business processes
} Assembly line restoration vs recruitment process
} BIA questionnaire, experts, senior management
} Maximum Tolerable Downtime (MTD):
} The total amount of time the system owner/authorizing official is willing
to accept for a mission/business process outage..
} Recovery Time Objective (RTO):
} The max amount of time that a system resource can remain unavailable
before there is an unacceptable impact on other system resources, other
business processes and MTD
} Work Recovery Time (WRT):
} The amount of effort (time) required to make business function after
technology is recovered, with tasks such a testing and validation
MTD = RTO+WRT
} Recovery Point Objective (RPO):
} The point in time prior to disruption, to which business process data can
be recovered upto, for a given backup
 Recovery time lines

Ref: https://networksandservers.blogspot.com/2011/02/high-availability-terminology-ii.html
BIA process
Cost balancing
 Contingency plan implementation

In general, an incident is a disaster when:

17 the impact of an incident OR
• organization is unable to contain or control
• level of damage or destruction from incident is so severe, the organization is unable to quickly recover
Incident Response Plan
} IRP:

} Detailed set of processes and procedures that anticipate,

detect, and mitigate the impact of an unexpected event that
might compromise information resources and assets

} Incident response (IR):

} Set of procedures that commence when an incident is

detected

18
Incident Response Plan (Contd.)
} When a threat becomes a valid attack, it is classified as an
information security incident if:
} It is directed against information assets

} It has a realistic chance of success

} It threatens the confidentiality, integrity, or availability of

information assets

} It is important to understand that IR is a reactive

measure, not a preventative one
Before the Incident
} Planners draft a third set of procedures, those tasks that
must be performed in advance of the incident
} Include:
} Details of data backup schedules
} Disaster recovery preparation
} Training schedules
} Testing plans
} Copies of service agreements
} Business continuity plans
During the Incident
} Planners develop and document the procedures that must
be performed during the incident

} These procedures are grouped and assigned to various

roles

} Planning committee drafts a set of function-specific

procedures
After the Incident
} Once the procedures for handling an incident are drafted,
planners develop and document the procedures that must
be performed immediately after the incident has ceased

} Separate functional areas may develop different

procedures
Incident detection
} Challenge is determining whether an event is routine
system use or an actual incident
} Incident classification: process of examining a possible
incident and determining whether or not it constitutes
actual incident
} Initial reports from end users, intrusion detection systems,
host- and network-based virus detection software, and
systems administrators are all ways to track and detect
incident candidates
} Careful training allows everyone to relay vital information
to the IR team
 Incident indicators*

} Possible Indicators } Definite Indicators

} Presence of unfamiliar files } Use of dormant accounts
} Presence or execution of } Changes to logs
unknown programs or processes } Presence of hacker tools
} Unusual consumption of } Notifications by partner or
computing resources peer
} Unusual system crashes } Notification by hacker
} Probable Indicators
} Activities at unexpected times
} Presence of new accounts
} Reported attacks
} Notification from IDS

*Pipkin, Donald, Information Security,: Protecting the global enterprise, Prentice Hall, 2000
24
Incident response
} Once an actual incident has been confirmed and properly
classified, the IR team moves from detection phase to
reaction phase

} In the incident response phase, a number of action steps

taken by the IR team and others must occur quickly and
may occur concurrently

} These steps include notification of key personnel, the

assignment of tasks, and documentation of the incident

25
Notification of key personnel
} As soon as incident is declared, the right people must be
immediately notified in the right order
} Alert roster: document containing contact information of
individuals to be notified in the event of actual incident
either sequentially or hierarchically
} Alert message: scripted description of incident
} Other key personnel: must also be notified only after
incident has been confirmed, but before media or other
external sources learn of it

26
Documenting an incident
} As soon as an incident has been confirmed and the
notification process is underway, the team should begin
documentation
} Should record the who, what, when, where, why and how of
each action taken while the incident is occurring
} Serves as a case study after the fact to determine if right
actions were taken and if they were effective
} Can also prove the organization did everything possible to
deter the spread of the incident

27
Example of
IRP
Incident escalation
} An incident may increase in scope or severity to the point
that the IRP cannot adequately contain the incident

} Each organization will have to determine, during the

business impact analysis, the point at which the incident
becomes a disaster

} The organization must also document when to involve

outside response

29
After Action Review
} Before returning to routine duties, the IR team must
conduct an after-action review, or AAR

} AAR: detailed examination of events that occurred

} All team members:

} Review their actions during the incident

} Identify areas where the IR plan worked, didn’t work, or should

improve

30
Law enforcement involvement
} When incident violates civil or criminal law, it is
organization’s responsibility to notify proper authorities
} Selecting appropriate law enforcement agency depends on
the type of crime committed: Federal, State, or Local
} Involving law enforcement has both advantages and
disadvantages:
} Usually much better equipped at processing evidence,
obtaining statements from witnesses, and building legal cases
} However, involvement can result in loss of control of chain of
events following an incident

31
 Disaster Recovery

} Disaster recovery planning (DRP) is the preparation for and

recovery from a disaster, whether natural or man made
} In general, an incident is a disaster when:
} organization is unable to contain or control the impact of an
incident
OR
} level of damage or destruction from incident is so severe, the
organization is unable to quickly recover
} Key role of DRP: defining how to reestablish operations at
location where organization is usually located

32
Disaster Classifications
} A DRP can classify disasters in a number of ways

} Most common method: separate natural disasters from

man-made disasters

} Another way: by speed of development

} Rapid onset disasters

} Slow onset disasters

33
Crisis management
} Crisis management: set of focused steps taken during and
after a disaster that deal primarily with people involved
} Crisis management team manages event:
} Supporting personnel and their loved ones during crisis
} Determining event's impact on normal business operations
} When necessary, making a disaster declaration
} Keeping public informed about event
} Communicating with outside parties
} Two key tasks of crisis management team:
} Verifying personnel status
} Activating alert roster

34
Business Continuity Planning (BCP)
} BCP
} Ensures critical business functions can continue in a disaster
} Most properly managed by CEO of organization
} Activated and executed concurrently with the DRP when
needed
} Reestablishes critical functions at alternate site (DRP focuses
on reestablishment at primary site)
} Relies on identification of critical business functions and the
resources to support them

35
 Continuity strategies
} Several continuity strategies for business continuity
} Determining factor is usually cost
} Three exclusive-use options:
} Hot sites
} Warm sites
} Cold sites
} Three shared-use options:
} Timeshare
} Service bureaus
} Mutual agreements

Management
36 of Information Security
Exclusive Use Options
} Hot Sites
} Fully configured computer facility with all services

} Warm Sites
} Like hot site, but software applications not kept fully prepared
} Cold Sites
} Only rudimentary services and facilities kept in readiness

37
Shared use options
} Timeshares
} Like an exclusive use site but leased
} Service Bureaus
} Agency that provides physical facilities
} Mutual Agreements
} Contract between two organizations to assist
} Specialized alternatives:
} Rolling mobile site
} Externally stored resources

Management
38 of Information Security
Off-site disaster data storage
} To get any BCP site running quickly, organization must be
able to recover data
} Options include:
} Electronic vaulting: bulk batch-transfer of data to an off-site
facility
} Remote Journaling: transfer of live transactions to an off-site
facility
} Database shadowing: storage of duplicate online transaction
data

39
Testing Contingency Plans
} Once problems are identified during the testing process,
improvements can be made, and the resulting plan can be
relied on in times of need
} There are five testing strategies that can be used to test
contingency plans:
} Desk Check
} Structured walkthrough
} Simulation
} Parallel testing
} Full interruption
} https://danielmiessler.com/study/red-blue-purple-teams/

Management
40 of Information Security
Risk management
Defense
Applying safeguards to to eliminate or reduce residual risks
Transferal
Shifting risk to other areas or outside agencies
Mitigation
Reducing the impact in the event of an attack (CP)
Acceptance
Understanding the consequences of choosing to leave a risk
uncontrolled
Termination
Removing or disconnecting
Related terminologies
Justifying controls
Before implementing one of the control strategies for a
specific vulnerability, the organization must explore all
consequences of vulnerability to information asset.
Several ways to determine the advantages/disadvantages
of a specific control
Items that affect cost of a control or safeguard include
cost of development or acquisition, training fees,
implementation cost, service costs, and cost of
maintenance.
Justifying controls (cont’d)
Asset valuation involves estimating real/perceived costs
associated with design, development, installation,
maintenance, protection, recovery, and defense against
loss/litigation.
Process result is the estimate of potential loss per risk.
Expected loss per risk stated in the following equation:
Annualized loss expectancy (ALE) =
single loss expectancy (SLE) ×
annualized rate of occurrence (ARO)
SLE [Loss magnitude] = asset value × exposure factor (EF)
The cost-benefit analysis (CBA)
CBA determines if an alternative being evaluated is worth
the cost incurred to control vulnerability.
The CBA is most easily calculated using the ALE from earlier
assessments, before implementation of the proposed control:
CBA = ALE(prior) – (ALE(post) + ACS)
ALE(prior) is the annualized loss expectancy of risk before
implementation of control.
ALE(post) is the estimated ALE based on control being in place
for a period of time.
ACS is the annualized cost of the safeguard.
Implementation, monitoring, and
assessment of risk controls
The selection of the control strategy is not the end of a
process.
Strategy and accompanying controls must be
implemented and monitored on ongoing basis to
determine effectiveness and accurately calculate the
estimated residual risk.
Process continues as long as the organization continues
to function.
 Cyber security technologies
Saji K Mathew, PhD
Professor, Management Studies
INDIAN INSTITUTE OF TECHNOLOGY MADRAS
Technology: Boon or a curse?
Access control
Access control, key to Confidentiality and Integrity
Enabled through policies, and technologies
IAAA for access control
Identification
Authentication
Authorization
Accountability
IAAA for access control
Identification
Get your ID
Authentication
Something you know (password, passphrase, OTP)
Something you have (smart card)
Something you are (fingerprints, retina and iris scans)
Something you produce (voice, signature)
 Evaluating biometrics
Cross Over Error Rate (CER)
FAR: False Acceptance Rate
FAR high: FP, TP high, FN low
FRR: False Rejection Rate
FRR high: FP, TP low, FN high
@CER: FAR=FRR
Widely used in comparison of
biometric devices
What is a desirable CER for
user authentication?
Mostly used biometrics:
Fingerprints,
Retina (blood vessel pattern) and
Iris (random patterns of freckles, pits, striations, vasculature and coronas)
Firewalls
Prevent specific types of information from moving between
the outside world (untrusted network) and the inside world
(trusted network);
Cryptography
Encryption is the process of converting an original message
into a form that cannot be understood by unauthorized
individuals
Ensures confidentiality, integrity and non-repudiation
Cryptology: the science of encryption
Cryptography [kryptos-graphein (hidden writing)] processes involved in
encoding and decoding messages so that others cannot understand them

Slide 13
Related terms
Plaintext can be encrypted using an algorithm
Bit stream: plaintext bit transformed into cipher bit one bit at a time
Block cipher: message divided into blocks (e.g., sets of 8- or 16-bit
blocks) and each is transformed into encrypted block of cipher bits
Cipher: the transformation of the individual components
(characters, bytes, or bits) of an unencrypted message into
encrypted components
Ciphertext or cryptogram: the unintelligible encrypted or
encoded message resulting from an encryption
Decipher: to decrypt or convert ciphertext to plaintext
Key: the information used in conjunction with the algorithm to
create the ciphertext from the plaintext
Symmetric key encryption

A cryptography system in which both parties have the

same encryption key, as in secret key cryptography.
Asymmetric key encryption
Digital Signature, and certificates
When the asymmetric process is reversed—the private
key encrypts a (usually short) message, and the public key
decrypts it—the fact that the message was sent by the
organization that owns the private key cannot be refuted
This nonrepudiation is the foundation of digital signatures
Digital signatures are encrypted messages that are
independently verified by a central facility as authentic
A digital certificate is an electronic document, similar to a
digital signature, attached to a file certifying that the file is
from the organization it claims to be from and has not
been modified from the original format
A certificate authority (CA) is an agency that manages the
issuance of certificates and serves as the electronic
notary public to verifySlide
their
17
origin and integrity
SSL Digital Certificate
Common(basic) ciphers
In encryption, the most commonly used algorithms
include three functions: substitution, transposition, and
XOR
In a substitution cipher, you substitute one value for
another
A monoalphabetic substitution uses only one alphabet
A polyalphabetic substitution uses two or more alphabets

PHHW PH DIWHU WKH WRJD SDUWB

What did Caesar tell his Commander?

Slide 19
Substitution cipher
Substitute one value for another
Monoalphabetic substitution uses only one alphabet
Polyalphabetic substitution uses two or more alphabets
Example (Caesar cypher):
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
c = E(p) = (p + k) mod (26)
p = D(c) = (c – k) mod (26)
Vigenere cipher (Tabula recta)

Find the cipher text for DOMS using poly alphabetic substitution
Use IITM as the key and encode DOMS
Tabula recta

DOM S
I I T M
Transposition cipher
Keys: 8-3, 7-6, 6-2, 5-7, 4-5, 3-1, 2-8, 1-4
Exclusive OR
Truth table

Message (binary): 00110101 01000101

Key: 01010101 01010101
Cipher text: 01100000 00010000

Easy to break, used along with other methods

Block chains
Ensures confidentiality through encryption and integrity
through hashing
Hash functions are mathematical algorithms that generate
message summary/digest (hash value) to confirm message
identity and confirm no content has changed
Properties such as hiding, collision resistance helps block
chains make transactions permanent
Implemented as linked lists
Cyber Security and Privacy
MS6880

Cybersecurity policy
Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
Policy influences progress
} India’s policy landmarks
} Industrial policy: 1949
} Entry of foreign players restricted:1972
} New Computer Policy:1984
} Policy on Computer Software Export, Development, and
Training: 1986
} Software Technology Park (STP): 1990
} Economic liberalization: 1991
Policy influences behavior

Source: Richard Heeks,

https://ict4dblog.wordpress.com/author/richardheeks/page/4/
Policy influences individual behavior
(Moody et al., 2018)
Introduction
} Policy is the essential foundation of an effective
information security program
} Some basic rules must be followed when shaping a policy:
} Never conflict with law
} Stand up in court
} Properly supported and administered
} Contribute to the success of the organization
} Involve end users of information systems
}

Slide 5
 The Bulls-eye Model

Policies are important reference documents for internal audits and for the resolution of
legal disputes about management's due diligence, and policy documents can act as a
clear statement of management's intent
Slide 6
 Policies, Standards, & Practices

Policy is a plan or course of action that

influences and determine decisions

Standards are a more detailed statement

of what must be done to comply with policy
practices

Procedures and guidelines explain how

employees will comply with policy

Policy must be properly disseminated, read, understood, and agreed-to

Security Education Training Awareness (SETA)
Policy, Standards, and Practices
} Policies require constant modification and maintenance
} In order to produce a complete information security
policy, management must define three types of
information security policy:

1. Enterprise information security program policy (EISP)

2. Issue-specific information security policies (ISSP)

3. Systems-specific information security policies (SysSP)

Slide 8
Enterprise Information Security Policy
(EISP)
} Sets strategic direction, scope, and tone for organization’s
security efforts
} Assigns responsibilities for various areas of information
security
} Guides development, implementation, and management
requirements of information security program

Slide 9
Components of the EISP
} Statement of Purpose - What the policy is for
} Information Technology Security Elements - Defines
information security
} Need for Information Technology Security - Justifies
importance of information security in the organization
} Information Technology Security Responsibilities and
Roles - Defines organizational structure
} References Information Technology standards and
guidelines

Slide 10
Issue-Specific Security Policy (ISSP)
} Provides detailed, targeted guidance to instruct the
organization in secure use of technology systems, and
begins with introduction to fundamental technological
philosophy of the organization
} Documents how the technology-based system is
controlled; and identifies the processes and authorities
that provide this control
} ISSP requires frequent updates
} Serves to indemnify the organization against liability for an
employee’s inappropriate or illegal system use
ISSP issues/topics
} Contains a statement on the organization’s position on an
issue
} ISSP topics could include:
} electronic mail,
} use of the Internet and the World Wide Web,
} specific minimum configurations of computers to defend
against worms and viruses,
} prohibitions against hacking or testing organization security
controls,
} home use of company-owned computer equipment,
} use of personal equipment on company networks,
} use of telecommunications technologies

Slide 12
Components of the ISSP
} Statement of purpose
} Scope and applicability
} Definition of technology addressed
} Responsibilities
} Authorized access and usage of equipment
} User access
} Fair and responsible use
} Protection of privacy

Slide 13
Components of the ISSP (contd)
} Prohibited usage of equipment
} Disruptive use or misuse
} Criminal use
} Offensive or harassing materials
} Copyrighted, licensed, or other intellectual property
} Other restrictions
} Systems management
} Management of stored materials
} Employer monitoring
} Virus protection
} Physical security
} Encryption

Slide 14
Components of the ISSP (contd)
} Violations of policy
} Procedures for reporting violations
} Penalties for violations
} Policy review and modification
} Scheduled review of policy and procedures for modification
} Limitations of liability
} Statements of liability or disclaimers

Slide 15
Systems-Specific Policy (SysSP)
} Systems-specific policies (SysSPs) are created to function
as standards or procedures to be used when configuring
or maintaining systems
} SysSPs can be separated into:
} Management guidance
} Eg: How to configure a firewall
} Technical specifications
} Eg.: Configuration of the firewall
Management Guidance SysSPs
} Created by management to guide the implementation and
configuration of technology
} Applies to any technology that affects the confidentiality,
integrity or availability of information
} Informs technologists on management’s intent

Slide 17
Technical Specifications SysSPs
} System administrator’s directions on implementing
managerial policy
} Each type of equipment has its own type of policies
} There are two general methods of implementing such
technical controls:
} Access control lists
} Configuration rules

Slide 18
Access Control Lists
} Include the user access lists, matrices, and capability tables
that govern the rights and privileges
} A similar method that specifies which subjects and
objects users or groups can access is called a capability
table
} These specifications are frequently complex matrices,
rather than simple lists or tables
} In general, ACLs enable administrations to restrict access
according to user, computer, time, duration, or even a
particular file

Slide 19
ACLs
} In general, ACLs regulate:
} Who can use the system
} What authorized users can access
} When authorized users can access the system
} Where authorized users can access the system from
} How authorized users can access the system
} Restricting what users can access, e.g., printers, files,
communications, and applications

} Set privileges of Read, Write, Create, Modify, Delete, Compare

and Copy

Slide 20
Windows XP ACLs

Slide 21
Configuration Rules
} Configuration rules are the specific configuration codes
entered into security systems to guide the execution of
the system when information is passing through it
} Rule policies are more specific to the operation of a
system than ACLs, and may or may not deal with users
directly
} Many security systems require specific configuration
scripts telling the systems what actions to perform on
each set of information they process

Slide 22
Firewall Configuration Rules

Slide 23
IDS Configuration Rules

Slide 24
Design elements (cont.)
} SETA – Security education, training and awareness
program contains
} Security education
} Security training
} Security awareness
} Purpose
} Improving awareness
} Developing skills & knowledge
} Building in-depth knowledge

25
Cybersecurity : Threats & Solutions
Industry Perspective.
It begins.
• “The only system which is truly secure is one which is switched
off and unplugged, locked in a titanium safe, buried in a
concrete bunker, and is surrounded by nerve gas and very
highly paid armed guards. Even then, I wouldn’t stake my life on
it.”
Professor Gene Spafford
Cyber Security : Definition
• Cyber security is the body of technologies, processes and practices
involved in protecting individuals and organizations from cyber crime
and now cyber warfare.
• It is designed to protect integrity of networks, computers, programs
and data from attack, damage or unauthorized access
• There are five key principles in cyber security:
• Confidentiality
More popular triad of
• Integrity Cybersecurity.
• Availability
• Accountability
• Auditability
Scope of Cybersecurity.
First Cyber attack (1982) !
 Concepts of
Cyber Security
Basics to Intermediate users.
Introduction to Concepts : Cyber Security
• General Concepts
• Operating Systems
• Cryptography
• Networking Concepts
• OSI Model
• Packets & Protocols
• Firewalls
• Design of a Simple Network
• Connecting to Network
• Security Concepts
• CIA Triad
• Cyber Operational Concepts & Terms.
• Workshop & Discussion
• QBOT : Execution
• QBOT : Analysis
Operating Systems.
Rings for all.

Operating System has multi-

layered defense systems
internally enforced.
Cryptography: PKI Basics.
Cryptography : Hash function.

• One sided computation is

fast.
• Reversing is nearly
impossible.
Actual Design of a SHA 256.
Introduction to Concepts : Cyber Security
• General Concepts
• Operating Systems
• Cryptography
• Networking Concepts
• OSI Model
• Packets & Protocols
• Firewalls
• Design of a Simple Network
• Security Concepts
• CIA Triad
• Connecting to Network
• Cyber Operational Concepts & Terms.
• Workshop & Discussion
• QBOT : Execution
• QBOT : Analysis
OSI Model : Network Layers.
Network Packets.

IP Packet TCP Packet

Access Controls.

Security Checks.

Largely implemented through Lists.

Identity and Access Management Solutions

cover this issue.
• LDAP
• Kerberos
• Radius Server
Firewalls.
Packet Filtering Router : Basic Firewall.
Regular Corporate Networks
Connecting from Outside.

2
VPN – Virtual Private Network
VPN : Connecting Two Networks
Introduction to Concepts : Cyber Security
• General Concepts
• Operating Systems
• Cryptography
• Networking Concepts
• OSI Model
• Packets & Protocols
• Firewalls
• Design of a Simple Network
• Connecting to Network
• Security Concepts
• CIA Triad
• Cyber Operational Concepts & Terms.
• Workshop & Discussion
• QBOT : Execution
• QBOT : Analysis
Cyber Attack : Phases.
General Information Collection strategies.
Untargeted Attacks
Focussed Information Collection.

Targeted Attacks
Basic Concepts
• Confidentiality
• Keeping data hidden for unauthorized users.
• Example : Encryption.
• Integrity
• Accuracy and completeness of the data.
• Example : Hash matches & Checksums
• Availability
• Being able to access the data when required.
• Example: Denial of Service Attacks
Common Terminologies.
● Malware.
● Remote Administration Tools (RATs)
● Trojans.
● KeyLogger.
● Ransomware.
● Social Engineering
● Phishing & Spear Phishing.
● Command & Control (C2)
● “Man in the Middle” (MitM) attack.
● Denial of Service attack
● Distributed Denial of Service Attack (DDoS).
Concepts of Ethical Hacking.

• Scanning
• Vulnerability
• Exploit
• Payload
Remote Administration Tool.
• Multiple Options.
• Commercial Tools (Misused)
• Ammy Admin
• Team Viewer
• AnyDesk
• Professional & Open Source
• Puppy RAT
• Qrat
• Professional & Licensed
• DarkComet
• Atom Logger (See Screen.)

$14.95 USD only.

Post-Covid use of Key Loggers.
Command & Control Panels.

Panel for seeing Victims : Command & Control.

Supply Sources.

India also has a vibrant dark web market.

Increased Attack
Surface. Case Study on Alexa and Smart Home Hack Investigation By Saptang Labs
Evaluation of the QBOT Trojan.
QBOT Trojan
Analysis of the Malware.
What is a Cyber Attack?
• A cyber-attack is any attempt to gain unauthorized access to a
computer, computing system or computer network with the intent to
cause damage.

Hackers APT Groups

Aim for Financial Gains, Notorious activities. Aims to gain access to critical infrastructure for
information
Example: Compromising Bank Account, A - Advanced
Defacement. P - Persistence
T - Threat

Example: Corona Virus Vaccination Development

Motive of an APT Group
• Steal Data
• Adversaries Development
• Intelligence
• To Plan Future Action
• Disrupt the operations
• Economic Loss
• Destroy the infrastructure
• Business Continuation
 Top Cyber-Attack trends

Malware (short for “malicious software”) is a file or

code, typically delivered over a network, that infects,
explores, steals or conducts virtually any behavior an
attacker wants. ... Investigate the infected user's local
network. Steal sensitive data.
SideCopy : An APT Group.
• Operation SideCopy is active from early
2019, till date with Chinese help.
• This cyber-operation has been only targeting
Indian defense forces and armed forces
personnel.
• Malware modules seen are constantly under
development and updated modules are
released after a reconnaissance of victim
data.
• Actors are keeping track of malware
detections and updating modules when
detected by AV.
• This threat actor is misleading the security
community by copying TTPs that point at
Sidewinder APT group.
 Cobalt Cybercrime Gang

Lazarus Group

MageCart Syndicate

Some of the Evil Corp

GozNym Gang
Organised DarkSide
Crime Groups. REvil

Clop

Lapsus$

FIN7
Lapsus$
• Lapsus$, stylised as LAPSUS$ and classified by Microsoft as DEV-0537, is an international
extortion-focused hacker group known for its various cyberattacks against companies
and government agencies
• In March 2022, Lapsus$ gained notoriety for a series of cyberattacks against large tech
companies, including Microsoft, Nvidia and Samsung
• Following these attacks, the City of London Police announced that it had made seven
arrests in connection to a police investigation into Lapsus$.
• Although the group had been considered inactive by April 2022, the group is believed to
have re-emerged in September 2022 with a series of data breaches against various large
companies through a similar attack vector, including Uber and Rockstar.
 Russia Ukraine Cyberwarfare
• During the prelude to the 2022 Russian invasion and even during the invasion multiple cyberattacks against Ukraine were
recorded, as well as some attacks on Russia.

• The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine
government websites

• According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of
Ministers, and the Security and Defense Council, were attacked. Most of the sites were restored within hours of the attack

• On 15 February 2022, a large DDoS attack brought down the websites of the defense ministry, army, and Ukraine's two
largest banks, PrivatBank and Oschadbank .Cybersecurity monitor Netblocks reported that the attack intensified over the
course of the day, also affecting mobile apps and ATMS of the banks

• Independent hacker groups, such as Anonymous, have launched cyberattacks on Russia in retaliation for the invasion
 Russia Ukraine Cyberwarfare
• Beginning on 6 March, Russia began to significantly increase the frequency of its cyber-attacks against Ukrainian
civilians.
• On 9 March alone, the Quad9 malware-blocking recursive resolver intercepted and mitigated 4.6 million attacks
against computers and phones in Ukraine and Poland, at a rate more than ten times higher than the European
average.
Introduction to Securing
Institutions.
Cyber Attack of accident?
What is Critical information infrastructure?

• “Critical Information Infrastructure (CII) is defined as those facilities,

systems or functions whose incapacity or destruction would cause a
debilitating impact on national security, governance, economy and
social well-being of a nation”

Information Technology Act as amended in 2014.

 What are Critical sectors?
• Power & Energy
• Banking, Financial Services &
Insurance
• Telecom
• Transport
• Government
• Strategic & Public Enterprises
 QUICK STUDY OF RECENT ATTACKS
Sno Cyber Attack Possible Espionage Objectives Possible Warfare Objectives
Monitor Movements & Visits of Diplomats and
1 Air India Logistics, Public Morale, Economic Loss.
Senior Functionaries
Monitor Financial & Economic health of the Supply Chain Attack on the Banking
2 Nucleus Software
country infrastructure possible.
Track and compromise - surgical cyber strikes
3 Dominos and UpStox Personal Details of Whos Who leaked.
on specific personnel.
Disrupt and destory - reputation as pharma
4 SII and Bharat Bio-tech Steal IPR to improve their vaccine. power, morale of people, economy and
recovery from pandemic.
Monitor Financial & Economic health of the Track and compromise - surgical cyber strikes
5 Mobikwik
country on specific personnel.
Personal Details of Who-is-Who in JK for cyber
Airtel - J&K (Airtel Track and compromise - surgical cyber strikes
6 ops -- imagine impact with widespread Chinese
Denied.) on specific personnel.
Mobile Phones - Resolve identities.
Monitor Financial & Economic health of the Track and compromise - surgical cyber strikes
7 JusPay
country on specific personnel.
Track and compromise - surgical cyber strikes
8 Bigbasket Personal Details of Whos Who leaked.
on specific personnel.
 QUICK STUDY OF RECENT ATTACKS
Sno Cyber Attack Possible Espionage Objectives Possible Warfare Objectives
Disrupt and destory - reputation as pharma power,
9 Dr Reddy Laboratories Steal IPR to improve their vaccine. morale of people, economy and recovery from
pandemic.

Disrupt and destory - confidence in Govt, morale of

10 Tata Power - Mumbai Demonstrate Capability to see our response.
people, economy and recovery from pandemic.

Monitor Military and Frieght Movement Joint Operation with Pakistan - Possible human
11 Indian Railways
(Northern Railways) element involved.
Create psychological impact on youth - as a country
12 Unacademy Understanding preferences of youth.
which is weak and vulnerable.

Kudankulam Nuclear Steal IPR and monitor the possible production of Triggering an accident - could be devastating in our
13
Power Plant fissile material - an idea on Nuclear Capabilities. country.

Create psychological impact on youth, world - as a

Monitor our moon program and steal sensitive
14 ISRO country which is incompetent, weak and
data on payloads.
vulnerable.
Helps companies in customising sales strategies
15 Healthcare Data Leaked Not much.
for Indian Market.
Mumbai Power Grid Attack
• Industrial Sector – Power Grid
• Threat Source - Adversarial/ Nation - State
• Attack Motivation - Sabotage /
Reputational
• Attack Scope - Cyber-Physical
• Attack Domain - Software/Hardware/
Communications/ Supply Chain
• Attack Mechanism - Manipulate System
Resource
Inject Unexcepted Items
• Attack Type - Active
• Targeted Principle - Integrity
 What is (NCIIPC) ?

● National Critical Information Infrastructure

Protection Centre (NCIIPC) is an
organisation of the Government of India
created under Sec 70A of the Information "To take all necessary measures to facilitate protection of
Technology Act, 2000 (amended 2008), Critical Information Infrastructure, from unauthorized
through a gazette notification on 16
January 2014. access, modification, use, disclosure, disruption,
incapacitation or distraction through coherent coordination,
● It is based in New Delhi, India.
synergy and raising information security awareness among
● It is designated as the National Nodal all stakeholders. “
Agency in respect of Critical Information * Notifies - Protected System.
Infrastructure Protection.
* Issues - Audit Guidelines
● It is a unit of the National Technical
Research Organisation (NTRO).
Critical infrastructures
Lack of CLARITY.
• Multiple Players attempting to regulate.
• Stakeholders are totally confused on whose directions
to implement.
• Precious resources are divided between the various
government departments.
• Botnet cleaning center appears to be a preventive job.
• NCCC monitors the networks of CIIs.
• NIC & Telecom Departments have their critical role in
CIIP.
• Standardisation teams exist for each agency
separately.
• STQC exists and largely covers Hardware testing for
performance and not security testing.
Introduction to Securing Institutions.
• Concepts for Cyber Defense
• Concept of Critical Information Infrastructure
• Attacks on India
• Indian Regulatory Structure
• Study of Cyber Kinetic Attacks
• Framework to study attacks
• Attacks on CIIPs from World.
• Defending Institutions
• Securing the Agency
• Securing the Infrastructure
• Use of Threatintel from Cyberspace.
• Discussion : Q&A
Well known Topology to Study Attacks.
Study through Stories.
• Key Points to remember.
• Threat Source.
• Attack Motivation
• Attack Scope
• Attack Domain
• Attack Mechanism
• Attack Type
• Targeted Principle.
Automotive Sector
• Daimler Chrysler – 2012 attacked by Cyber Actors to steal the
Intellectual Property rights. Stole the credentials of the employee and
used his access to login and copy the source code.
• A computer virus was detected on the network of an automanufacturer.
Unknown attackers stole employees’ IDs and encrypted passwords after
planting a computer virus on the company’s computer systems. The company
waited a week to disclose the attack to allow time to investigate.
• The company used their own security experts in addition to a third-party
security consultant to investigate the attack. The company is still unsure
where the attack came from. The company suspects that the hackers were
attempting to steal intellectual property pertaining to the company’s hybrid
and electric vehicle drivetrains.
Maroochy Shire Sewage Spill (2000)
• Industrial Sector - Energy Industry (E)
• Threat Source - Adversarial/Outsider.
• Attack Motivation - Revenge
• Attack Scope - Cyber-Physical
• Attack Domain - Software Communications
• Attack Mechanism - Subvert Access Control
• Attack Type - Active
• Targeted Principle - Confidentiality
Kemuri Water Company Attack (2016)
• Industrial Sector - Energy Industry (E)
• Threat Source - Adversarial/ Nation - State
• Attack Motivation - Sabotage
• Attack Scope - Cyber-Physical
• Attack Domain - Software Social Engineering
• Attack Mechanism - Inject Unexcepted items
Engage in Deceptive Interactions
• Attack Type - Active
• Targeted Principle - Integrity
Crypto Mining on
(SCADA)Attack -
2018
• Industrial Sector - Energy Industry (E)
• Threat Source -
Adversarial/Group/Established
• Attack Motivation - Financial Gain
• Attack Scope - Cyber
• Attack Domain - Software
• Attack Mechanism - Inject Unexcepted Items
• Attack Type - Active
• Targeted Principle - Integrity
Riviera Beach Ransomware Atack(2019)
• Industrial Sector -Energy Industry (E)
• Threat Source - Adversarial/Group
• Attack Motivation - Financial Gain
• Attack Scope - Cyber
• Attack Domain - Software
• Attack Mechanism - Inject Unexcepted
Items
• Attack Type - Active
• Targeted Principle - Availability
Ukrainian Power Grid Attack
• Industrial Sector – Power Grid(D)
• Threat Source - Adversarial/ Nation - State
• Attack Motivation - Sabotage
• Attack Scope - Cyber-Physical
• Attack Domain - Software/Hardware/
Communications/ Supply Chain
• Attack Mechanism - Manipulate System
Resource
Inject Unexcepted Items
• Attack Type - Active
• Targeted Principle - Integrity
Gas Compressor Station Attack (2013)
• Industrial Sector - Natural compressor
stations (D)
• Threat Source - Adversarial/Outsider
• Attack Motivation - N/A
• Attack Scope - Cyber
• Attack Domain - Software
• Attack Mechanism - Employ Probabilistic
Techniques
• Attack Type - Active
• Targeted Principle - Confidentiality
Stuxnet (2009)
• Industrial Sector – Chemical Industry (C)
• Threat Source - Adversarial/ Nation - State
• Attack Motivation - Sabotage
• Attack Scope - Cyber-Physical
• Attack Domain - Software/Hardware
/Communications
• Attack Mechanism - Engage in Deceptive
Interactions/
Manipulate System Resource/Inject Unexcepted
items
• Attack Type -Active
• Targeted Principle - Integrity
Fukushima Daiichi
Nuclear Disaster
(2011)
• Industrial Sector - Chemical Industry
(C)
• Threat Source - Environmental/
Natural Disaster
• Attack Motivation - N/A
• Attack Scope - Physical
• Attack Domain - N/A
• Attack Mechanism - N/A
• Attack Type - N/A
• Targeted Principle - N/A
Saudi Aramco
Attack (2012)
• Industrial Sector – Petroleume & Natural Gas
(D)
• Threat Source -
Adversarial/Group/Established
• Attack Motivation - Political reason
• Attack Scope - Cyber
• Attack Domain - Software Supply Chain
• Attack Mechanism - Manipulate Data
Sturctures
Subvert Access Control
• Attack Type - Active
• Targeted Principle - Integrity
TRITON Attack (2017)
• Industrial Sector - Chemical Industry (C)
• Threat Source - Adversarial/ Nation - State
• Attack Motivation - Sabotage
• Attack Scope - Cyber-Physical
• Attack Domain - Software /Hardware
• Attack Mechanism - Inject Unexcepted Items
Manipulate System Resource
• Attack Type - Active
• Targeted Principle - Integrity
German Steel Mill
attack (2014)
• Industrial Sector - Chemical Industry (C)
• Threat Source -
Adversarial/Group/Copmetitor
• Attack Motivation - Theft
• Attack Scope - Cyber-Physical
• Attack Domain - Social Engineering Software
• Attack Mechanism - Inject Unexcepted Items
Manipulate System Resource
• Attack Type - Active
• Targeted Principle - Integrity
Norsk Hydro Ransomware Attack(2019)
• Industrial Sector - Chemical Industry (C)
• Threat Source - Adversarial/
Organization
• Attack Motivation - Reputation
• Attack Scope - Cyber
• Attack Domain - Software
• Attack Mechanism - Inject Unexcepted Message To Hydro By Hackeres
Items
• Attack Type - Active
• Targeted Principle - Availability
Godzilla Attack & Turn Back (2013)
• Industrial Sector – Road Transport Sector
• Threat Source - Adversarial/Individual
• Attack Motivation - Personal Entertainment
• Attack Scope - Cyber
• Attack Domain - Software
• Attack Mechanism - Subvert Access Control
• Attack Type - Active
• Targeted Principle - Integrity
TARGET Supplier Portal Attack (2012)
• Industrial Sector – Food Industry (D)
• Threat Source -
Adversarial/Group/Established
• Attack Motivation - Financial Knowledge
• Attack Scope - Cyber
• Attack Domain - Software Social Engineering
• Attack Mechanism - Inject Unexcepted Items
Subvert Access Controlls
• Attack Type - Active
• Targeted Principle - Confidentiality
Tridium Niagara Framework Attack (2012)
• Industrial Sector – Software Industry
(D)
• Threat Source - Adversarial/Individual
• Attack Motivation - N/A
• Attack Scope - Cyber
• Attack Domain - Software
• Attack Mechanism - Abuse Existing
Functionality
• Attack Type - Active
• Targeted Principle - Confidentiality
Introduction to Securing
Institutions.
What is Threat Intelligence?

• “Details of the motivations, intent, and capabilities of internal and

external threat actors. Threat intelligence includes specifics on the
tactics, techniques, and procedures of these adversaries. Threat
intelligence's primary purpose is to inform business decisions
regarding the risks and implications associated with threats.”

- Forrester
 Threat Intel for organizations

Social Media

DEEP WEB Random pieces Machine Learning Threat Identification

Threat Detection
of Data & Big Data Analytics Incident Response

DARK WEB
• Social Messaging Companies • Log Aggregation, Triage, • EDR
and Analysis • MDR
• Telecom Companies
• Data Analytics • XDR
• Internet Service Providers
• Support for Threat Hunting
• Grocery & Pizza Providers.
Framework to study the Security of Org.
 Integrity of Supply Chain.
Challenges of CIIP Vendor Security Risk & Leakages
Boundary Protection – DMZ
Smart Monitoring - Use of Machine Learning – Anomaly
detection etc.
Issues of Identification & Authentication.
Physical Access Control – Sabotage.
Interconnectedness – Risks.
Hardening of Systems – Limited Privilege.
Resource Allocation Caps.
Remote Access Permissions
Account Management
Discussion : Questions?
• Who is the Attacker?
• Internal
• External
• What is his Skill level?
• Script Kiddies
• Semiskilled
• Highly Skilled
• What is his motive?
• Espionage
• Weakening & Demoralising organization.
• Which type of attack would be used for targeting your organization?
• Focussed campaigns
• Not Focussed campaigns
• Who is the Target?
Thanks & Questions.
Block chains
Ensures confidentiality through encryption and integrity
through hashing
Hash functions are mathematical algorithms that generate
message summary/digest (hash value) to confirm message
identity and confirm no content has changed
Properties such as hiding, collision resistance helps block
chains make transactions permanent
Implemented as linked lists
Standards of Encryption
Data Encryption Standard (DES) was developed in 1977
by IBM and is based on the Data Encryption Algorithm
(DEA), which uses a 64-bit block size and a 56-bit key
DES is a federally approved standard for non-classified
data; it was cracked in 1997 when the developers of a
new algorithm, Rivest-Shamir-Aldeman, offered a $10,000
reward for the first person or team to crack the
algorithm
Fourteen thousand users collaborated over the Internet to
finally break the encryption
Triple DES (3DES) was developed as an improvement to
DES and uses three keys in succession
Advanced Encryption Standard (AES) developed with a
key length of either 128, 192, or 256 bits (NIST/ISO)
RSA standard developed based on the difficulty of figuring
the prime factors of a large number
Power of the keys
Security Models
Bell-LaPadula Model (1973) Confidentiality
Read down, write up
Confidentiality focus Integrity
Biba Model (1977)
Availability
Read up, write down
Integrity focus
Clark-Wilson Model (1987)
Constrained data item (CDI), transformation procedures
Useful for commercial applications
Chinese Wall Model (1989)
Resolves conflict of interest
Integrated cyber defense
Cyber Security and Privacy
MS6880

Foundations of privacy
Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
Encrypted chats vulnerable?
The context
The Narcotics Control Bureau’s (NCB) probe into the
drugs case in connection with actor Sushant Singh
Rajput’s death case has led to news channels reporting
WhatsApp chats reportedly between actor Rhea
Chakraborty and others and also part of a group chat
from 2017, allegedly between Deepika Padukone and her
manager Karishma.
How was end-to-end* encrypted WhatsApp chats read
by a third party?
How can private chat messages be displayed in public?
Privacy???

• Even whatsapp cannot read the encrypted message:

https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
The caveat
Did the Govt obtain consent for this? If privacy is a
fundamental right can the state leak information that it
obtained as part of an investigation to the public?
Can the press be silent if a government source comes to
the press with information that is in the public interest?
Privacy vs public interest

A political party while in power will

stress on “national security” and
while in opposition will advocate
“privacy rights”
The big brother
In India, 10 central probe and snoop agencies are
empowered under the Information Technology (IT) Act to
intercept, monitor or decrypt any information generated,
transmitted, received or stored in any computer resource.
This list of ten includes the Narcotics Control Bureau,
Enforcement Directorate and the Central Bureau of
Investigation as well.

Indian Telegraph Act 1885

Panopticon (being observed, while the subject doesn’t
know)

Surveillance nation
Michael Foucault, George Orwell

The panopticon must not be understood

as a dream building. It is the diagram of
a mechanism of power reduced to its
ideal form
Michael Foucault, Discipline and
punish, 1977
Privacy a created issue?
 The right to
be let alone

The press is overstepping in every direction the obvious bounds of

propriety and of decency. Gossip is no longer the resource of the idle and
of the vicious, but has become a trade, which is pursued with industry as
well as effrontery. To satisfy a prurient taste the details of sexual relations
are spread broadcast in the columns of the daily papers. To occupy the
indolent, column upon column is filled with idle gossip, which can only be
procured by intrusion upon the domestic circle (The right to privacy,
Harvard Law Review, Samuel Warren and Louis Brandies, 1890)
Like a freedom movement
Privacy as freedom- the earliest notion of privacy
Privacy as autonomy, privacy as the right to be let alone
(Warren and Brandeis, 1890)
Early understanding of privacy based on moral principles

The poorest man may in his cottage bid defiance to all the force
of the Crown. It may be frail; its roof may shake; the wind may
blow through it; the storms may enter; the rain may enter - but
the King of England cannot enter; all his forces dare not cross
the threshold of the ruined tenement (William Pitt, 1763 cited in Hosein,
2004)
Public and private
Aristotle: poilis (public) and oikos (private)
Aristotle distinguished between the public sphere of
politics and political activity, the polis, and the private or
domestic sphere of the family, the oikos, as two distinct
spheres of life
Reductionism vs Coherentism
Privacy as a derivative of fundamental rights like property
rights, bodily security, right to freedom etc. (Thomson,1975)
There is nothing called privacy!
Cohenretism treats privacy as a distinct right
Economic view
Privacy is not important so long as there is no economic
consequence (Posner, 1975)
If privacy affects economic value of information, it must
be protected (eg. access to reco letter by applicants)
Privacy could reduce economic efficiency
Feminist view
Potential misuse in favor of dominant gender
(MacKinnon,1989)
Privacy and control over information
“the claim of individuals, groups or institutions to determine
for themselves when, how and to what extend information
about them is communicated to others”
-Westin 1967, Privacy and Freedom
Privacy as exclusive (restricted) access
Privacy vs information privacy
Fair Information Practice Principles
US Secretary's Advisory Committee on Automated Personal Data
Systems in a 1973 report, Records, Computers and the Rights of
Citizens
1. There must be no personal data record-keeping systems whose
very existence is secret.
2. There must be a way for a person to find out what information
about the person is in a record and how it is used.
3. There must be a way for a person to prevent information about
the person that was obtained for one purpose from being used or
made available for other purposes without the person’s consent.
4. There must be a way for a person to correct or amend a record
of identifiable information about the person.
5. Any organization creating, maintaining, using, or disseminating
records of identifiable personal data must assure the reliability of
the data for their intended use and must take precautions to
prevent misuses of the data
Stakeholders

“Data principal" “Data fiduciary" “Data processor"

Synonyms used in India’s PDP in red

Concern For Information Privacy
(Smith et al., 1996)
 Evolution of information privacy
(Westin, 2003)
Period Important events – Characteristics
Privacy Baseline Limited IT developments, high public trust in government and
(1945-1960) business sector, and general comfort with the information collection.

1st Era of Privacy Rise of information privacy as an explicit social, political, and legal
(1961-1979) issue. Early recognition of potential dark sides of the new
technologies (Brenton 1964). Fair Information Practice
2nd Era of Rise of computer and network systems, database capabilities.
Privacy European nations move to national data protection laws for private
(1980-1989) and public sectors.
3rd Era of Rise of the Internet, Web 2.0, terrorist attack of 9/11 dramatically
Privacy changed the landscape of information exchange. Privacy concerns rose
(1990-2002) to new highs.
2005 Onwards - Social media, cloud computing, big data, location based services
are the dominant drivers for new privacy concerns and research
Why organizations should worry?
Since January 2005 (In US)
▪ 857 million records with sensitive personal information
exposed
▪ 4,586 data breaches
Lawsuits against popular websites like Facebook Beacon,
Google Buzz for violation of online privacy
▪ ChoicePoint ~ $30 million fine
o Fraudulent access of 145,000 consumer reports
▪ TJX Companies ~ $156 million fine
o Unfair practices that resulted in compromise of 46.2 million credit
cards data
International Significance
▪ 70 out of 400 grants given by National Science Foundation (USA), related
to privacy.
Why individuals should worry?
A super market faced with a lawsuit from one of its
customers, who had slipped and fallen, threatened to use
the fact that the customer was a frequent purchaser of
alcohol, to damage his reputation in the court
-Simson Garfinkel (2000), Database Nation
Class work
What should the Hathway Jones do: hire/not hire
Give rationale (three bullets)
What should they do post decision? (three bullets)
Cyber Security and Privacy
MS6880

Introduction
Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
Are cyber attacks real?
What should I do?
} Kaseya is a company which provides software tools for IT
outsourcing
} One of those tools was subverted
} The hackers who claimed responsibility for the breach
have demanded $70 million to restore all the affected
businesses
Nov-Dec’22
Drones attack Saudi oil refinery (Sept 16, 2019)

} Aramco was being listed in stock market

} Attack begins at 4:00AM
} Shutting down production around 5% of the world's daily crude
oil production causing oil prices to surge up to 20%
} US said Iran behind Saudi oil attacks
} 17 hits identified on the Abqaiq refinery with dozen cruise
missiles and more than 20 drones.
Jan 3, 2020, ~ 1:00 am
A US drone strike on a Baghdad airport killed Qasem
Soleimani.
Summary
} Cyber security is a current and serious problem
} Open a newspaper or business magazine
} Pervasive digital technologies
} Cyber security affects individuals, organizations, society
and government
} The landscape of threats spread across units
} Privacy issues, data protection issues
} policy angles, operational and management angles, as well as
technology angles
} Triple role of technology
} Source of threat, asset to protect and defense weapon
What is security?
} “The quality or state of being secure--to be free from danger”
} To be protected from adversaries
} A successful organization should have multiple layers of security
in place:
} Physical security-areas of organization from unauthorized
access and misuse.
} Personal security- protection of individual or group.
} Operations security – Focus protection of particular operation.
} Communications security – Protect org. media, tech, content.
} Network security – Components, connections, contents.
} Information security- databases, analytics, insights

Slide 20
Cyber confusion

Which is correct?

A. cyber security
B. cyber-security
C. cybersecurity
} Cyber security form is common in Europe
} Cybersecurity form common in the America’s

} Cyber is borrowed from cybernetics, which implies

control (Greek steer man)
} When applied to IT, it refers to the online world
} Often used as a stylized pre-fix
} Cyber space, cyber koolies, cyber bullies etc.
} This course has no preferred spelling
Cyber security
} Cyber security often used interchangeably with the term
information security.
} However, incidents of cyber-bullying, damage to
equipment, media piracy, or cyber terrorism etc occur in
cyber space, beyond information assets—ie. it includes
humans as sources and targets of security
Cybersecurity is the collection of tools, policies, security concepts, security safeguards,
guidelines, risk management approaches, actions, training, best practices, assurance and
technologies that can be used to protect the cyber environment and organization and
user’s assets. Organization and user’s assets include connected computing devices,
personnel, infrastructure, applications, services, telecommunications systems, and the
totality of transmitted and/or stored information in the cyber environment.
Cybersecurity strives to ensure the attainment and maintenance of the security
properties of the organization and user’s assets against relevant security risks in the
cyber environment. The general security objectives comprise the following:
Availability, Integrity, which may include authenticity and non-
repudiation and Confidentiality (ITU, 2008)
Information security
} Information security is the preservation of the
Confidentiality, Integrity and Availability (CIA) of information
(ISO/IEC 27002, 2005, p. 1)
} The protection of information and its critical elements,
including the systems and hardware that use, store, and
transmit that information (Whitman and Mattord, 2009).
} Information security is not a product or a technology, but a
process
} Definitions is that information security is commonly defined in
terms of the properties or characteristics that secure
information should have. These usually include the
confidentiality, integrity and availability of information, but can
include additional characteristics.
Cyber Security and Privacy
MS6880

Risk Management
Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
 Do you know?
} If you know the enemy and know yourself, you need not
fear the result of a hundred battles
} If you know yourself but not the enemy, for every victory
gained you will also suffer a defeat
} If you know neither the enemy nor yourself, you will
succumb in every battle
-- Sun Tzu
Risk management
} Knowing yourself: Identifying, examining, and
understanding the information and how it is processed,
stored, and transmitted
} Knowing the enemy: Identifying, examining, and
understanding the threats facing the organization’s
information assets
} Risk management: The process of identifying, assessing,
and reducing risks facing an organization

Slide 3
Threats, attack, vulnerability, risk
Attack surface
Residual risk
Risk identification
} Risk identification begins with the process of self-
examination
} Managers identify the organization’s information assets,
classify them into useful groups, and prioritize them by
their overall importance
} Identify information assets, including people, procedures,
data and information, software, hardware, and networking
elements
} This step should be done without pre-judging the value of
each asset; values will be assigned later in the process

Slide 8
Organizational assets used in systems

Slide 9
Identifying hardware, software, and
network assets
} Whether automated or manual, the inventory process
requires a certain amount of planning
} Determine which attributes of each of these information
assets should be tracked
} That will depend on the needs of the organization and its
risk management efforts

Slide 10
Attributes for assets
} When deciding which attributes to track for each
information asset, consider the following list of potential
attributes:
} Name
} IP address
} MAC address
} Asset type
} Serial number
} Manufacturer name
} Manufacturer’s model or part number
} Software version, update revision, or FCO number
} Physical location
} Logical location
} Controlling entity
Slide 11
Identifying people, procedures, and
data assets
} Responsibility for identifying, describing, and evaluating
these information assets should be assigned to managers
who possess the necessary knowledge, experience, and
judgment
} As these assets are identified, they should be recorded via
a reliable data-handling process like the one used for
hardware and software

Slide 12
Suggested attributes for people,
procedures, and data assets
} People } Data
} Position name/number/ID ▶ Owner/creator/manager
} Supervisor name/number/ID ▶ Size of data structure
▶ Data structure used
} Security clearance level ▶ Online or offline
} Special skills ▶ Location
▶ Backup procedures
} Procedures
} Description
} Intended purpose
} Software/hardware/networking elements to which it is tied
} Location where it is stored for reference
} Location where it is stored for update purposes

Slide 13
 Data classification model
} Example
} Public
} For official use only
} Sensitive
} Classified

} The U.S. military classification scheme (Executive Order 12958)

} Unclassified data
} Sensitive but unclassified (SBU) data
} Confidential data
} Secret data
} Top Secret data
Assessing values for information assets
} As each information asset is identified, categorized,
and classified, assign a relative value
} Relative values are comparative judgments made to
ensure that the most valuable information assets are
given the highest priority, for example:
} Which information asset is the most critical to the success
of the organization?
} Which information asset generates the most revenue?
} Which information asset generates the highest profitability?
} Which information asset is the most expensive to replace?
} Which information asset is the most expensive to protect?
} Which information asset’s loss or compromise would be the
most embarrassing or cause the greatest liability?

Slide 15
Knowing the enemy:
Identify and prioritize threats and threat agents
} Each threat presents a unique challenge to information
security and must be handled with specific controls that
directly address the particular threat and the threat
agent’s attack strategy
} Before threats can be assessed in the risk identification
process, however, each threat must be further examined
to determine its potential to affect the targeted
information asset
} In general, this process is referred to as a threat
assessment

Slide 16
Threats
} Back doors
} Brute force
} Dictionary
} Man-in-the –middle
} Password crack
} Social engineering
} Phishing
} Spear phishing
} Vishing
Threat categories
Weighted ranks of threats to
information security

Slide 19
Vulnerability assessment
} Once you have identified the information assets of the
organization and documented some threat assessment criteria,
you can begin to review every information asset for each
threat
} This review leads to the creation of a list of vulnerabilities that
remain potential risks to the organization
} Vulnerabilities are specific avenues that threat agents can
exploit to attack an information asset
} At the end of the risk identification process, a list of assets and their
vulnerabilities has been developed
} This list serves as the starting point for the next step in the
risk management process: risk assessment
Vulnerability assessment of a DMZ
router

Slide 21
Threat-Vulnerability-Asset (TVA) worksheet
} At the end of the risk identification process, a list of
assets and their vulnerabilities has been developed
} Another list prioritizes threats facing the organization
based on the weighted table discussed earlier
} These lists can be combined into a single worksheet

Slide 22
Sample TVA Spreadsheet

Slide 23
Determining the loss frequency
} Describes an assessment of the likelihood of an attack
combined with expected probability of success
} Use external references for values that have been
reviewed/adjusted for your circumstances.
} Assign numeric value to likelihood, typically annual value.
} Eg.: Targeted by hackers once every five years: 1/5,
20 percent
} Determining an attack’s success probability by estimating
quantitative value (e.g., 10 percent) for the likelihood of a
successful attack; value subject to uncertainty
Evaluating loss magnitude
} The next step is to determine how much of an
information asset could be lost in a successful attack.
} Also known as loss magnitude or asset exposure
} Combines the value of information asset with the
percentage of asset lost in event of a successful attack
} Difficulties involve:
} Valuating an information asset
} Estimating percentage of information asset lost during best-
case, worst-case, and most likely scenarios
Calculating residual risk
} For the purpose of relative risk assessment, risk equals:

Loss frequency TIMES loss magnitude MINUS the percentage of risk

mitigated by current controls PLUS measurement uncertainty
Problem
Q: An ecommerce database has 10% chance of an attack this
year based on industry reports (one attack in ten years). InfoSec
dept reports if the infrastructure is attacked there is 50% chance
of success based on current asset vulnerabilities and protection.
The asset is valued at 50 in a 0-100 scale, and InfoSec informs
that 80% asset will be compromised by a successful attack.
Measurements are 75% accurate. Estimate risk

Slide 27
Example
Q: An ecommerce database has 10% chance of an attack
this year based on industry reports (one attack in ten
years). InfoSec dept reports if the infrastructure is attacked
there is 50% chance of success based on current asset
vulnerabilities and protection. The asset is values at 50 in a
0-100 scale, and InfoSec informs that 80% asset will be
compromised by a successful attack. Measurements are 75%
accurate. Estimate risk
A: Likelihood: 0.1; Attack success probability: 0.5
Loss frequency: 0.1*0.5=0.05
Loss magnitude= 0.8*50=40
Risk=0.05*40+error=2+2*0.25=2.5

Slide 28