CYB 102 – FUNDAMENTALS OF CYBER SECURITY

Lecture Note slides Module 3

By
Cybersecurity Best Practices
Cyberspace is particularly difficult to secure due to a number of factors:
I. the ability of malicious actors to operate from anywhere in the world
II. the linkages between cyberspace and physical systems,
III. the difficulty of reducing vulnerabilities and consequences in complex cyber
networks.

Implementing safe cybersecurity best practices is important for individuals as

well as organizations of all sizes.
▪ using strong passwords,
▪ updating your software
▪ thinking before you click on suspicious links
▪ turning on multi-factor authentication
are the basics of what we call “cyber hygiene” and will drastically improve your
online safety..
Personal Cyber Security Tips
1. Keep Your Software Up to Date
One of the most important cyber security tips to mitigate ransomware is patching
outdated software, both operating system and applications. This helps remove critical
vulnerabilities that hackers use to access your devices.

Here are a few quick tips to get you started:

•Turn on automatic system updates for your device

•Make sure your desktop web browser uses automatic security updates

•Keep your web browser plugins like Flash, Java, etc. updated
2. Use Anti-Virus Protection & Firewall
▪ Anti-virus (AV) protection software has been the most prevalent solution to
fight malicious attacks.
▪ AV software blocks malware and other malicious viruses from entering your
device and compromising your data.
▪ Use anti-virus software from trusted vendors and only run one AV tool on
your device.

Using a firewall is also important when defending your data against malicious
attacks.
▪ A firewall helps screen out hackers, viruses, and other malicious activity that
occurs over the Internet and determines what traffic is allowed to enter your
device.
▪ Windows and Mac OS X come with their respective firewalls, aptly named
Windows Firewall and Mac Firewall. Your router should also have a firewall
built in to prevent attacks on your network.
3. Use Strong Passwords & Use a Password Management Tool
You have probably heard that strong passwords are critical to online security. The truth is
passwords are important in keeping hackers out of your data.

According to the National Institute of Standards and Technology’s (NIST) 2017 new password
policy framework, you should consider:
•Dropping the crazy, complex mixture of upper case letters, symbols, and numbers. Instead,
opt for something more user-friendly but with at least eight characters and a maximum length
of 64 characters.

•Don’t use the same password twice.

•The password should contain at least one lowercase letter, one uppercase letter, one number,
and four symbols but not the following &%#@_

•Choose something that is easy to remember and never leave a password hint out in the open
or make it publicly available for hackers to see.

•Reset your password when you forget it. But, change it once per year as a general refresh.
4. Use Two-Factor or Multi-Factor Authentication
• Two-factor or multi-factor authentication is a service that adds additional layers of security
to the standard password method of online identification.

• Without two-factor authentication, you would normally enter a username and password.

• But, with two-factor, you would be prompted to enter one additional authentication
method such as a Personal Identification Code, another password, or even a fingerprint.

• With multi-factor authentication, you would be prompted to enter more than two
additional authentication methods after entering your username and password.

• According to NIST, an SMS delivery should not be used during two-factor authentication
because malware can be used to attack mobile phone networks and can compromise data
during the process.
5. Learn about Phishing Scams – be very suspicious of emails, phone calls, and flyers

In a phishing scheme attempt, the attacker poses as someone or something the sender is not
to trick the recipient into:
• divulging credentials
• clicking a malicious link,
• opening an attachment that infects the user’s system with malware, trojan, or zero-day
vulnerability exploit.

A few important cyber security tips to remember about phishing schemes include:

1. Bottom line – Don’t open emails from people you don’t know.

2. Know which links are safe and which are not – hover over a link to discover where it directs
to
• Be suspicious of the emails sent to you in general – look and see where it came from and if
there are grammatical errors

• Malicious links can come from friends who have been infected too. So, be extra careful!
6. Protect Your Sensitive Personal Identifiable Information (PII)

• Definition: Personal Identifiable Information (PII) is any information that can be used by a
cybercriminal to identify or locate an individual.

• PII includes information such as name, address, phone number, date of birth, Social Security
Number, IP address, location details, or any other physical or digital identity data.

• In the new “always-on” world of social media, you should be very cautious about the
information you include online.

• It is recommended that you only show the very minimum about yourself on social media.

• Consider reviewing your privacy settings across all your social media accounts, particularly
Facebook.

• Adding your home address, birth date, or any other PII information will dramatically increase
your risk of a security breach. Hackers use this information to their advantage!
7. Use Your Mobile Devices Securely
According to McAfee Labs, your mobile device is now a target to more than 1.5 million new
incidents of mobile malware.

Here are some quick tips for mobile device security:

1.Create a Difficult Mobile Passcode – Not Your Birthdate or Bank PIN

2.Install Apps from Trusted Sources

3.Keep Your Device Updated – Hackers Use Vulnerabilities in Unpatched Older Operating
Systems

4.Avoid sending PII or sensitive information over text messages or email

5.Leverage Find my iPhone or the Android Device Manager to prevent loss or theft

6.Perform regular mobile backups using iCloud or Enabling Backup & Sync from Android
8. Backup Your Data Regularly
• Backing up your data regularly is an overlooked step in personal online
security.

• The top IT and security managers follow a simple rule called the 3-2-1
backup rule.

• Essentially, you will keep three copies of your data on two different
types of media (local and external hard drive) and one copy in an off-
site location (cloud storage).

• If you become a victim of ransomware or malware, the only way to

restore your data is to erase your systems and restore with a recently
performed backup.
9. Don’t Use Public Wi-Fi
• Don’t use public Wi-Fi without using a Virtual Private Network (VPN).

• By using VPN software, the traffic between your device and the VPN
server is encrypted.

• This means it’s much more difficult for a cybercriminal to obtain access
to your data on your device.

• Use your cell network if you don’t have a VPN when security is
important.
10. Review Your Online Accounts & Credit Reports Regularly for
Changes

• With the recent Equifax breach, it’s more important than ever for
consumers to safeguard their online accounts and monitor their credit
reports.

• A credit freeze is the most effective way for you to protect your personal
credit information from cyber criminals right now.

• Essentially, it allows you to lock your credit and use a personal

identification number (PIN) that only you will know.

• You can then use this PIN when you need to apply for credit.
Top Causes of Security Breaches

• Hacking, phishing, and malware incidents are becoming the number

one cause of security breaches today.

• But, what’s more troubling, these hacking attempts are the result of
human errors in some way.

• Education and awareness are critically important in the fight against

cybercriminal activity and in preventing security breaches.
Security testing
Definition: This is a process intended to reveal flaws in the security
mechanisms of an information system that protect data and maintain
functionality as intended.
• Due to the logical limitations of security testing, passing the security testing
process is not an indication that no flaws exist or that the system adequately
satisfies the security requirements.
• Typical security requirements may include specific elements of confidentiality,
integrity, authentication, availability, authorization, and non-repudiation.
• Actual security requirements tested depend on the security requirements
implemented by the system.
• Security testing as a term that has a number of different meanings and can
be completed in a number of different ways.
• As such, a Security Taxonomy helps us to understand these different
approaches and meanings by providing a base level to work from.
Taxonomy
Common terms used for the delivery of security testing
1. Discovery
• The purpose of this stage is to identify systems within the scope and the services in use.
• It is not intended to discover vulnerabilities
• but version detection may highlight depreciated versions of software/firmware
• thus indicating potential vulnerabilities.

2. Vulnerability Scan
• Following the discovery stage this looks for known security issues by using automated tools
to match conditions with known vulnerabilities.
• The reported risk level is set automatically by the tool with no manual verification or
interpretation by the test vendor.
• This can be supplemented with credential-based scanning that looks to remove some
common false positives by using supplied credentials to authenticate with a service (such as
local Windows accounts).
3. Vulnerability Assessment
• This uses discovery and vulnerability scanning to identify security vulnerabilities and places
the findings into the context of the environment under test.
• An example would be removing common false positives from the report and deciding risk
levels that should be applied to each report finding to improve business understanding and
context.

4. Security Assessment
• Builds upon Vulnerability Assessment by adding manual verification to confirm exposure,
but does not include the exploitation of vulnerabilities to gain further access.
• Verification could be in the form of authorized access to a system to confirm system settings
and involve examining logs, system responses, error messages, codes, etc.
• A Security Assessment is looking to gain a broad coverage of the systems under test but not
the depth of exposure that a specific vulnerability could lead to.
5. Penetration Test
▪ Penetration test simulates an attack by a malicious party.
▪ Building on the previous stages involves the exploitation of found vulnerabilities to gain
further access.
▪ Using this approach will result in an understanding of the ability of an attacker to gain
access to confidential information, affect data integrity or availability of a service, and the
respective impact.
▪ Each test is approached using a consistent and complete methodology in a way that allows
the tester to use their problem-solving abilities.
▪ The output from a range of tools and their own knowledge of networking and systems to
find vulnerabilities that would/ could not be identified by automated tools.
▪ This approach looks at the depth of attack as compared to the Security Assessment
approach which looks at the broader coverage.
6. Security Audit
• Driven by an Audit / Risk function to look at a specific control or compliance
issue.

• Characterized by a narrow scope, this type of engagement could make use of

any of the earlier approaches discussed.

7. Security Review
• Verification that industry or internal security standards have been applied to
system components or products.

• This is typically completed through gap analysis and utilizes build/code

reviews or by reviewing design documents and architecture diagrams.

• This activity does not utilize any of the earlier approaches (Vulnerability
Assessment, Security Assessment, Penetration Test, Security Audit)
Incident Response
• Definition: Incident response is an organized, strategic approach to
detecting and managing cyber attacks in ways that minimize damage,
recovery time, and total costs.

• Strictly speaking, incident response is a subset of incident

management.

• Incident management is an umbrella term for an enterprise's broad

handling of cyber attacks, involving diverse stakeholders from the
executive, legal, Human Resources (HR), communications, and
information technology (IT) teams.

• Incident response is part of incident management that handles technical

cybersecurity tasks and considerations
Types of Security Incidents
• In developing incident response strategies, it's important to first understand
how security vulnerabilities, threats, and incidents related.

• A vulnerability is a weakness in the IT or business environment.

• A threat is an entity -- whether a malicious hacker or a company insider --

that aims to exploit a vulnerability in an attack.

• To qualify as an incident, an attack must succeed in accessing enterprise

resources or in otherwise putting them at risk.

• Finally, a data breach is an incident in which attackers successfully

compromise sensitive information, such as personally identifiable information
or intellectual property
• When it comes to cybersecurity, an ounce of prevention is worth a pound of cure.
• Experts say organizations should fix known vulnerabilities and proactively develop
response strategies for dealing with common security incidents. These include the
following:
• Unauthorized attempts to access systems or data.
• Privilege escalation attacks
• Insider threats
• Phishing attacks
• Malware attacks
• Denial-of-service (DoS) attacks
• Man-in-the-middle attacks
• Password attacks
• Web application attacks
• Advanced persistent threats
What is an incident response plan?
An incident response plan is an organization's go-to set of documentation
that details the following:

•What: Which threats, exploits, and situations qualify as actionable

security incidents, and what to do when they occur.

•Who: In the event of a security incident, who is responsible for which

tasks, and how others can contact them.

•When: Under what circumstances team members should perform certain

tasks.

•How: Specifically how team members should complete those tasks.

How to create an incident response plan
Successful incident response requires proactively drafting, vetting, and testing plans
before crisis strikes. Best practices include the following:
1.Establish a policy. An incident remediation and response policy should be an
evergreen document describing general, high-level incident-handling priorities. A good
policy empowers incident responders and guides them in making sound decisions
when the proverbial excrement hits the fan.
2.Build an incident response team. An incident response plan is only as strong as
the people involved. Establish who will handle which tasks, and ensure everyone has
adequate training to fulfill their roles and responsibilities.
3.Create playbooks. Playbooks are the lifeblood of incident response. While an
incident response policy offers a high-level view, playbooks get into the weeds,
outlining standardized, step-by-step actions responders should take in specific
scenarios.
4. Create a communication plan. An incident response plan can not succeed without
a solid communication plan among diverse stakeholders. These may include the
incident response, executive, communications, legal, and HR teams, as well as
customers, third-party partners, law enforcement, and the general public.
Incident response frameworks: Phases of incident response
▪ Preparation/planning. Build an incident response team and create policies,
processes and playbooks; deploy tools and services to support incident
response.
▪ Detection/identification. Use IT monitoring to detect, evaluate, validate and
triage security incidents.
▪ Containment. Take steps to stop an incident from worsening and regain
control of IT resources.
▪ Eradication. Eliminate threat activity, including malware and malicious user
accounts; identify any vulnerabilities the attackers exploited.
▪ Recovery. Restore normal operations and mitigate relevant vulnerabilities.
▪ Lessons learned. Review the incident to establish what happened, when it
happened and how it happened. Flag security controls, policies and
procedures that functioned sub-optimally and identify ways to improve them.
Update the incident response plan accordingly.
Who is responsible for incident response?
Behind every great incident response program is a coordinated, efficient, and effective incident
response team.

After all, without the right people to support them and put them into practice, security policies,
processes, and tools mean very little.

This cross-functional group consists of people from diverse parts of the organization who are
responsible for completing the steps and processes involved in incident response.

Types of incident response teams

The three most common types of incident response teams are as follows:
•Computer security incident response team (CSIRT).
•Computer incident response team (CIRT).
•Computer emergency response team (CERT).
Incident response team members
An incident response team consists of the following members:
•Technical team. This is the core incident response team of IT and security members who have
technical expertise across company systems. It often includes an incident response manager,
incident response coordinator, team lead, security analysts, incident responders, threat
researchers and forensics analysts.
•Executive sponsor. This is an executive or board member, often the CSO or CISO.
•Communications team. This includes PR representatives and others who manage internal
and external communications.
•External stakeholders. Members include other employees or departments within the
organization, such as IT, legal or general counsel, human resources (HR), business continuity
and disaster recovery, physical security, and facilities teams.
•Third parties. These external members might include security or incident response
consultants, external legal representation, MSPs, managed security service providers, cloud
service providers (CSPs), vendors and partners.
What does an incident response team do?
The chief goals of an incident response team are to detect and respond to security events and
minimize their business impact.
As such, team responsibilities largely align with the phases outlined in an incident response
framework and plan. Team tasks include the following:
• Prepare for and prevent security incidents.
• Create the incident response plan.
• Test, update and manage the incident response plan before use.
• Perform incident response tabletop exercises.
• Develop metrics to analyze program initiatives.
• Identify security events
• Contain security events, quarantine threats and isolate systems.
• Eradicate threats, discover root causes and remove affected systems from production
environments.
• Recover from threats and get affected systems back online.
• Contain security events, quarantine threats and isolate systems.
• Eradicate threats, discover root causes and remove affected systems from
production environments.
• Recover from threats and get affected systems back online.
• Conduct follow-up activities, including documentation, incident analysis and
identifying how to prevent similar events and improve future response efforts.
• Review and update the incident response plan regularly.
Risk Management
▪ Definition: Cybersecurity risk management is the process of identifying an organization's
digital assets, reviewing existing security measures, and implementing solutions to either
continue what works or mitigate security risks that may pose threats to a business.

Cybersecurity Risk Management Process

• Cyberattacks are not random. If you know where to look, there are usually signs of a
planned attack against an organization.

• Telltale markers of an imminent attack include mentions of the organization on the dark
web the registration of similar domain names to be used for phishing attacks, and
confidential information - such as user account credentials - put up for sale.
Cybersecurity Risk Management Strategy
➢ A cybersecurity risk management strategy implements four quadrants that deliver comprehensive
and continuous Digital Risk Protection (DPR).
➢ DRP platforms use multiple reconnaissance methods to find, track, and analyze threats in real-time.
➢ Using both indicators of compromise (IOCs) and indicators of attack (IOAs) intelligence, a DRP
solution can analyze risks and warn of attacks.

Let's take a look at the four quadrants:

• Map - Discover and map all digital assets to quantify the attack surface. Use the map as a foundation
to monitor cybercriminal activity.

• Monitor - Search the public and dark web for threat references to your digital assets. Translate found
threats to actionable intelligence.

• Mitigate - Automated actions to block and remove identified threats to digital assets. Includes
integration with other security initiatives in place.

• Manage - Manage the process used in Map, Manage, and Mitigate quadrants. Enriching IOCs and
prioritizing vulnerabilities in this step is also essential to successful digital risk protection.
What are the Benefits of Cybersecurity Risk Management?
➢ Implementing cybersecurity risk management ensures cybersecurity is not relegated
to an afterthought in the daily operations of an organization.
➢ Having a cybersecurity risk management strategy in place also ensures that
procedures and policies are followed at set intervals and that security is kept up to
date.
➢ Cybersecurity Risk Management provides ongoing monitoring, identification, and
mitigation of the following threats:
▪ Phishing Detection
▪ VIP and Executive Protection
▪ Brand Protection
▪ Fraud Protection
▪ Sensitive Data Leakage Monitoring
▪ Dark Web Activity
▪ Automated Threat Mitigation
▪ Leaked Credentials Monitoring
▪ Malicious Mobile App Identification
▪ Supply Chain Risks
Why is Cybersecurity Risk Management Important?
➢ Cybersecurity risk management is important because it helps a business assess its
current cybersecurity risk profile.

➢ Cybersecurity risk management is also important because it helps to bring about

situational awareness within a security organization.

➢ It's essential to have a clear understanding of the risks in your organization and
those that might arise in the future