Please enable JavaScript.

Coggle requires JavaScript to display documents.

Security operations - Coggle Diagram

- - - - Learning outcomes
        
        The material in Block 4 covers aspects of the following learning outcomes:
        
        Knowledge and understanding
        
        KU1 Be aware of the principles, methods and tools relevant to the technical and human factors of cyber security.
        
        KU2 Demonstrate techniques and processes involved in assessment of security infrastructure and related hardware and software controls.
        
        KU3 Demonstrate an understanding of the theory and practice of systems security that includes identifying associated threats, controls and policies.
        
        1 more item...
        
        Key skills
        
        KS1 Communicate and analyse problems effectively within a computing environment using appropriate personal and technical skills.
        
        KS2 Formulate arguments and make informed decisions in choosing appropriate techniques in solving a range of technological problems.
        
        Practical and/or professional skills
        
        PS2 Demonstrate the ability to undertake ongoing learning to keep up-to-date with cyber security developments within digital systems.
- - - - Description A vector drawing of people arriving at a check-in desk at an airport on the far left of the image. In the centre, a man is showing his passport to an official seated in a booth at passport control. The far right of the image shows a man and a woman passing through a metal detector, whilst their bags are passing through an X-ray scanner.
        
        From a cyber security perspective, this balance of operation and security is no less challenging. As early as 1980, James P. Anderson Co. (1980) recognised that: ‘full protection of the information and communication infrastructure is impossible’.
        
        The practice of security operations recognises some key principles:
        
        security incidents are inevitable...there is a need to establish proactive measures to help reduce the negative impact of an incident...a broad approach (not just technical) is needed.
        
        Reflecting the ‘broad approach’ referred to in the last bullet point, security operations involve various assets, namely: people, information, technology, physical assets and third-party suppliers. This week, you will explore some of these assets.
- - - - Description A three pane cartoon strip from Dilbert is shown. Dogbert is shown sitting at a computer and is saying to Dilbert, ‘I have a new hobby. It’s called phishing.’ In the second pane, Dogbert continues, ‘I send fake banking e-mails to gullible executives. Then I find out their financial information and use it to steal the money they don’t deserve.’ In the final pane, the Boss is shown reading an email on his computer that reads, ‘Dear Customer, This is your bank. We forgot your social security number and password. Why don’t you send them to us so we can protect your money. Sincerely, I. B. Banker’. The Boss is shown thinking to himself, ‘Looks legit.’
        
        While you will cover human factors later in the block, it is a thread that runs throughout operational security practice, so let’s explore it briefly here.
        
        Broadly speaking, you can divide people management into two areas.You will explore each of these areas in the following sections.
        
        Security awareness and education
        The focus here is on the general security awareness and use of systems and assets by employees and others.
        
        Human resource security
        This covers the employment life cycle, meaning the relationship between the employee and organisation prior to employment, during employment and at the end of employment.
        
        2.1 Human resource security
        
        3 more items...
- - - - Description
        
        Four connecting jigsaw pieces are shown, which link together. Each piece contains text representing one of four areas of information management. The top-left piece reads, ‘Information classification and handling’. The top-right piece reads, ‘Privacy’. The bottom-left piece reads, ‘Document and record management’. The bottom-right piece reads, ‘Sensitive physical information’.
        
        The following sections will explore two of these areas in more detail, namely: information classification and handling, and privacy.
  - - - Controlling how data is classified and handled is an exercise that starts by identifying all of the different types of information to be managed. The information then needs to be classified according to its importance and the impact it may have in the event of a breach involving the information (information classification). Appropriate labelling of the information in ways that avoid unauthorised modification of the classification or separation of the classification from the information itself also needs to be in place (information labelling). Finally, procedures that cover how the information is handled during its lifetime must be produced; for example, appropriate information destruction procedures (information handling). In the sections that follow, you will explore each of these sub-topics of Information classification and handling in a little more depth.
      - Information classification
        The practice of protecting sensitive information by marking it to one of several hierarchical levels of sensitivity.
      - 3.1.1 Information classification
        
        When classifying information, it is important to take a holistic view on what constitutes information. Beyond the information that is gathered or generated by an organisation, other forms of information that need protecting should also be identified. For example, the layout of a high security building, the names of employees, and the procedure to follow during a fire drill are all examples of information that is classified as ‘Top Secret’ by the Security Service (MI5).
        
        Classification of information can be approached as a risk management process. This means that a number of considerations (or ‘inputs’) are taken into account when classifying information. To begin with, the adverse impact of a compromise or loss of information assets should be considered. This is a bit like asking the question: ‘What if this information is compromised?’.
        
        In Block 1 Part 1, you carried out a self-assessment activity that used the CIA triad to help assess the impact of a variety of incidents – each of which affected information security. Some more examples related to information security are shown in Table 4.3.
        
        Table 4.3 Using the CIA triad to assess the impact of information compromise
        
        Confidentiality Disclosure of a patient’s medical records could result in legal proceedings being brought against an organisation. Disclosure of undercover police officer names/identities may lead to threats to life.
        
        Integrity Disclosure of administrator account credentials could result in log files recording criminal activity being deleted from a server. Loss of or damage to crucial evidence in a criminal trial may lead to a miscarriage of justice, as key evidence is missing.
        
        Availability Again, the loss of evidence in a trial impacts on the availability of important information. Loss of information (such as client account profiles) can also impact on an organisation’s service level agreement and ability to provide an online service, such as Amazon Web Services.
        
        Other inputs to consider include those in the list below.
        
        Laws
        Legislation in the country where the information is processed can stipulate minimum levels of protection.
        
        1 more item...
        
        3.1.2 Information labelling
        
        Once information has been identified and classified, it is important that it be labelled appropriately to ensure it is subsequently handled correctly (handling is discussed further in Section 3.1.3).
        
        For physical items, such as a paper document or DVD, the classification could be produced as part of the document content (see Figure 4.16, below). If a classification is applied after the physical item is originally produced, such as after a paper document is passed to you, labelling can be applied by either physically writing on the item or applying a physical label with a strong, tamper-evident adhesive. You could even use barcodes or Radio-Frequency Identification (RFID) tags (Stallings, 2018); however, these are better suited to tracking the item as it is handled (see Section 3.1.3).
        
        For electronically held information, labelling could be achieved using electronic watermarking, an entry in the header or footer of a document, document metadata or digital signatures.
        
        Figure 4.16 Document labelled with ‘Top Secret’ classification
        
        2 more items...
        
        3.1.3 Information handling
        
        An important aspect of information management is how it is processed, communicated, stored and destroyed (if required). The rules on how information is handled are largely governed by legislation (this is discussed in Section 3.2.2) and standards, and are explored below.
        
        The ISO/IEC 27002 standard (Code of practice for information security controls) (International Organization for Standardization, 2017) makes the following recommendations for handling information assets:
        
        access restrictions supporting the protection requirements for each level of classification...maintenance of a formal record of the authorised recipients of assets...protection of temporary or permanent copies of information to a level consistent with the protection of the original information...storage of IT assets in accordance with manufacturers’ specifications...clear marking of all copies of media for the attention of the authorised recipient.
        
        1 more item...
    - - The term ‘privacy’ has been defined by the international standard ISO/IEC 7498-2 (Open systems interconnection. Basic reference model. Security architecture (Part 2)) as follows:.. the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.(International Organization for Standardization, 1989)
        
        It is worthwhile noting that this ‘right’ is not universally applied around the world. An interesting website provides an interactive ranking of different countries globally. The site should be used as an overview of how privacy can differ between countries. From a reliability perspective, there are a number of shortcomings to this site:....The provenance of the data is unclear. A ‘source’ is listed towards the bottom of the page but this simply links to a Google Docs spreadsheet with no authoritative source information...The methodology for calculating the overall score is not clear....The data is dated 2019 and so it is a bit out of date.
        
        In the next section, you will explore different threats to privacy and the principles and policies that can be used to set objectives for improving privacy. You will also briefly look at details of where to locate some ideas for the privacy controls that can be used to meet these objectives.
      - 3.2.1 Privacy threats
        
        A highly cited and comprehensive list of privacy threats is Solove’s A Taxonomy of privacy (Solove, 2005). Solove describes four basic groups of activities that are deemed to be harmful to privacy: Information collection, Information processing, Information dissemination and Invasions. To explore the detail of Solove’s taxonomy and its four groups, see Figure 4.17 and Figures 4.17(a)–(d).
        
        Information collection
        One of the four types of harmful activities described by Solove in his taxonomy of privacy. It collectively describes the practice gathering data through techniques such as surveillance and interrogation.
        
        Information processing
        (a) In a general context, this refers to the act of performing routine actions on information, such as removing duplicates from a dataset (b) In a security context, this is one of the four types of harmful activities described by Solove in his taxonomy of privacy. It collectively describes the practice of performing harmful actions on information, such as aggregation where more complete information about an individual can be determined by combining information from multiple sources..
        
        Information dissemination
        One of the four types of harmful activities described by Solove in his taxonomy of privacy. It collectively describes the practice of propagating information through actions such as disclosure, blackmail, and breaches of confidentiality.
        
        Invasions
        One of the four types of harmful activities described by Solove in his taxonomy of privacy. It collectively describes the practice intruding upon the privacy of an individual through actions such as intrusion or interfering with their freedom to make decisions.
        
        1 more item...
        
        3.2.2 Privacy principles and policies
        
        This section requires you to visit the module website.
        
        There are several standards, laws and regulations that exist to protect privacy. A framework that establishes the principles of good privacy is set out in the ISO/IEC 29100 standard ( Security techniques. Privacy framework) (International Organization for Standardization, 2020).
        
        Activity 4.8 Privacy framework principles
        
        In the next section, you will move on to examine some of the third-party supplier aspects of security operations.
- - - - Before going much further, it is useful to examine a couple of definitions of a supply chain.
      - Description Though this images is rather tiny! An example supply chain is shown, showing a sequence of seven stages, represented as boxes joined by arrows. Starting on the far left, the first stage is named ‘Material extraction’. Moving to the right, each subsequent stage is named as follows: ‘Material processing’, ‘Component production’, ‘Manufacture/assembly’, ‘Warehousing’, ‘Distribution’, and ‘Retailer’
  - - - But not all supply chains are material-based. Many service supply chains deal mainly with information flows. Examples include digital services, such as iTunes and Spotify, or anti-malware and network monitoring software, which rely on regular updates to mitigate threats (see Figure 4.19, below).
        
        But not all supply chains are material-based. Many service supply chains deal mainly with information flows. Examples include digital services, such as iTunes and Spotify, or anti-malware and network monitoring software, which rely on regular updates to mitigate threats (see Figure 4.19, below).
        
        Figure 4.19 A typical software supply chain
        
        Description The image shows the flow of information in a typical software supply chain software update. The top-left shows the image of a human with an arrow connecting the human to an icon of a document representing a software code update. An arrow connecting the document and the supplier’s update server is shown. Five arrows are shown emerging from the update server, each carrying a cogs symbol, representing a distributable software update. Each of the five arrows is connected to a customer server. The servers are labelled Customer A to Customer E, inclusive.
        
        In light of the prevalence of supply chains carrying information over IT networks, the NIST provides an updated and lengthy definition of a supply chain in SP 800-161:
        
        Linked set of resources and processes between acquirers, integrators, and suppliers that begins with the design of ICT products and services and extends through development, sourcing, manufacturing, handling, and delivery of ICT products and services to the acquirer.
        
        1 more item...
    - - Compromise of any one of the suppliers or the channel through which products or services are transmitted can result in problems for the consumer or their own customers. Using the infrastructure shown in Figure 4.19 (Section 4.1) as an example, multiple victims can be compromised with a single Trojanised infection at the supplier source. This is distributed to all customers who update their product (see Figure 4.21, below), which shows how a single victim is compromised.
        
        Figure 4.21 Software provider supply chain attack
        
        The image shows the flow of information in a typical software supply chain attack. The top-left shows the image of a human with an arrow connecting the human to an icon of a document, representing software code. An arrow connecting the document and the supplier’s update server is shown. At the bottom of the image, a human icon representing a threat actor is shown. An arrow connecting the threat actor and an icon representing malware is shown. The arrow connecting the document and the update server is intercepted by an arrow from the malware icon, indicating the malware is injected into the update code. Trojanised updates are show leaving the update server and downloaded to the victim’s server. The victim’s server is shown to contain credit card details of customers. A command and control server is shown at the bottom of the image, which the threat actor has control over. An arrow connecting the command and control server with the victim’s server is labelled ‘Backdoor access (e.g. data theft)’.
        
        Software supply chain attacks are exacerbated by the increasing use of open-source software libraries when creating software products (Ohm et al., 2020). This practice can be exploited to perform a dependency confusion attack (see the box below). Over 35 technology companies (including Apple, Netflix, PayPal, Yelp and Uber) have paid big bounties worth thousands of dollars after a security researcher was able to exploit a dependency confusion attack to execute code on their networks (Birsan, 2021).
        
        Dependency confusion attack
        Software is generally produced using a variety of calls to library code, often called ‘packages’. Library code provides functionality such as the ability to display text on the screen or communicate with a server over the internet. A threat actor could create a new package and place it on a public code repository, such as GitHub, with the same file name as a legitimate package but with a higher version number. Most package managers will then automatically download and install the updated (threat actor’s) version of the package from the public feed. In effect, you have a supply chain attack at the point at which you create your software. If you want to read more, have a look at this blog, where the author claims to have infiltrated Apple and Microsoft, amongst others.
        
        Case study – SolarWinds supply chain attack
        
        1 more item...
      - 4.3 Supply chain risk management
        
        The CPNI places risk management at the centre of its 10 Steps to Cyber Security, meaning it should be embedded throughout an organisation for all functions and at all levels. In practice, this means that a risk analysis should be performed when approaching new suppliers or managing existing ones.
        
        Guidance on how this should be done is jointly provided by the NCSC and the CPNI through a series of 12 principles, divided into four areas – see the next activity.
        
        Activity 4.11 Principles of supply chain security
        
        The four areas and the associated principles within them are explored in a little more detail in the following sections.
        
        This activity please go to module website
        
        4.3.1 Understand the risks
        
        As with other risk assessments, the initial stage involves information gathering to identify where the threats and vulnerabilities are in the supply chain. This also means having good sight of the entire supply chain, beyond your own organisation’s immediate supplier. In Figure 4.22, an organisation’s own supplier (Level 1) is likely to have their own suppliers (Level 2). Extending this concept, the Level 2 suppliers are also likely to have their own suppliers (Level 3). The example in Figure 4.22 shows only three levels of suppliers, but in practice there could be several more levels.
        
        The further along the supply chain a supplier is from the organisation, the more difficult it becomes to have clear visibility on that supplier. In practice, this means that due diligence checks, such as checking vetting procedures, or good ethical policies may be difficult to establish. It also means that controls, such as requiring good password policies or the use of VPNs when working away from the office, may be difficult to impose as part of a contract with a Level 1 supplier where there are other suppliers further down the chain.
        
        Figure 4.22 Reduced visibility, understanding and control of ICT supply chains
        
        A box representing an organisation is shown on the left of the image. To the right of the organisation is a pane of semi-transparent glass, behind which are two suppliers, collectively referred to as Level 1 suppliers. Arrows moving from each supplier to the organisation are shown. The two suppliers each have two of their own suppliers, located in Level 2 behind another pane of glass that is less transparent than the first. Each of the suppliers in Level 2 have multiple suppliers located in Level 3 behind a third pane of glass that is even less transparent and largely opaque to the organisation. On the far left of the image, next to the organisation, the silhouette of a man is shown looking through a pair of binoculars towards the right of the figure to try and see all of the suppliers in the supply chain. At the bottom of the figure, a large arrow moving from left to right indicates that the further away from the organisation a supplier is, the less visibility, understanding and control there is.
        
        A brief description of the principles covered by this area is given in Table 4.4.
        
        1 more item...
        
        4.3.2 Establish control
        
        Establishing and maintaining control over the supply chain is largely down to good communication and promoting good practice. The NCSC/CPNI guidance breaks this objective down into six principles that make up this second area, as shown in Table 4.5.
        
        Principle 4 – Communicate your view of security needs to your suppliers.Clear and unambiguous guidance on your security requirements and what is expected of a supplier should be in place. An example is any security requirements a supplier must impose on their own suppliers (in Level 2, relative to your organisation). Another example is restrictions that limit the ability of the supplier to subcontract the work to a third party. The guidance must provide clarity on what decisions must be approved by your organisation (or which ones do not need approval).
        
        Principle 5 – Set and communicate minimum supplier security requirements.The requirements set for suppliers should be justified, proportionate and achievable. Not every circumstance may need the same level of security controls. For example, a training provider may provide much of its material face to face, but under the Covid-19 restrictions that were in place during 2020–2021, it moved online and requires the collection and processing of employee details to create accounts. Assessing risk based on the circumstances and working on a case-by-case basis is a more proportionate approach to security.
        
        1 more item...
        
        4.3.3 Check your arrangements
        
        The third area of the NCSC/CPNI principles for good supply chain management is focused on building and maintaining confidence in the security measures implemented in the previous two areas, as shown in Table 4.6.
        
        Principle 10 – Build assurance activities into your supply chain management.To gain confidence that all of the appropriate security measures are in place, an organisation should contractually require the supplier to provide regular reporting of security performance. For example, the supplier may be required to provide copies of annual security audits performed by an independent third-party security specialist. Another example is where a particular security certification should be achieved and maintained as a condition of the supplier contract.
        
        1 more item...
        
        4.3.4 Continuous improvement
        
        Once the security risks are identified, control is established and assurances are implemented, the supply chain security infrastructure needs to be protected from future changes that could undermine the security ecosystem that is established. The final area of the NCSC/CPNI principles for good supply chain management contains two principles to address this, as shown in Table 4.7.
        
        1 more item...