R10 Security. v2
R10.7 Process and protocols of internet assurance
Installation and configuration of firewalls
- Delete, disable or rename any default user accounts changing default passwords, to complex passwords/passphrases
- Each person managing firewall should have their own account. Privileges set on account should be based on their responsibility
- Update firmware for firewall to latest vendor updates
- Define where changes can be made from. Such as internal to network
Four configuration changes that need to be completed to make the firewall secure
Inbound and outbound rules
Firewalls can be set to monitor inbound or outbound traffic or both. The rules will be used to inspect data packets and determine whether they should be blocked or allowed
3 rules needed to be set:
Traffic type
Application
Destination and source
Inbound traffic
Outbound traffic
Comes from outside network through firewall into network
Comes from inside network through firewall out of network
Network segregation
Ensures that if an attacks happens then not all the network will be compromised
Virtual local area network
VLAN is the method used to logically separate out networks. Such as LAN for a business with multiple departments or geographical areas
VLAN is used to separate each department area on the network into a virtual network
Increases efficiency of what would be a large LAN and saves on network resources. Can also help reduce time taken from transmission of data packets
Disadvantages
Advantages
Easier to troubleshoot problems on smaller network than a larger one
Easier to scale upwards or downwards as each area can be addressed in isolation and not impact other areas on the main network
Latency is decreased (data packets are transmitted around a smaller network area)
Provides security control as each VLAN is simulated/virtual separate network in a larger network. Meaning sensitive information is not accessible by areas of larger LAN/WAN
Maintenance, needs to be carried out using logical and structured process to maintain existing VLAN segmentation
Implementation planning can take longer than other, simpler set-ups due to the reason above
Can be more expensive to implement as additional routers may require to control traffic of a large network
Physical network separation/segmentation
Large network broken down into smaller physical components. Extra hardware may be needed like switches, routers etc
Disadvantage
Financially expensive as extra hardware may need to be bought and installed
Conflicts between hardware can occur, like Wi-Fi access points located in same area then each will broadcast a different SSID
Offline networks
Offline network is one that is not connected to the internet. Air-gapped system is an example of an offline network
Network monitoring
Running a system constantly monitors a network to check performance. System can detect slow or failing components and provide detailed feedback to network management team
If packets were lost during a ping test a summary of results will include:
Minimum round trip time
Maximum round trip time
Mean round trip time
Standard deviation of mean round trip time
Removable media controls
What happens if they aren't controlled
Introduction of malware
Reputational damage
Loss of data and information
Financial loss
These are portable devices such as USB sticks, SD cards and external hard drives. Typically used for people to copy and transfer data
R10.8 Interrelationship of components required for effective computer security system
Identification, authentication, authorization and accountability
Every user needs:
Authentication - additional information. Such as PIN, password, or token. These stages work together than separately
Authorization - What user is able to do. Links with setting and managing user privileges
Identification - use of usernames or biometrics
Auditing - all actions carried out by authorized users will be recorded
Principals of identification, authentication, authorization and auditing (IAAA) will help increase security
Risk management
Impact
Probability
Vulnerabilities
Mitigation
Threats
Identification of possible threats that occur. Should cover not only digital systems but people and physical environment
All vulnerabilities should be identified. May already been identified as a result of vulnerability testing
What is impact of threat/vulnerability, is it negligible, moderate or serious. Depending on impact level will depend on the priority of taking remedial action
Probability of threat happening or vulnerability being exploited. Higher probability higher remedial action priority
What action can be taken to reduce threat level or close vulnerability
R10.6 Risk Mitigation Controls to Prevent Threats
Risk Mitigation Controls
Encryption
User access, policies and procedures
Intrusion detection and prevention systems
Staff training and CPD (Continuous professional development)
Firewalls
Back-ups
Anti-virus and anti-malware software
Software and system maintenance
National Cyber Security Centre (NCSC) Cyber Essentials:
Air gaps
Control access to data and services
Protection from viruses and malware
Choose most secure settings for devices and software
Up-to-date software and devices
Firewall to secure internet connections
Software
Hardware
Process
Protocols
Purpose
Permissions
IT user policies
Human firewall
Incremental
Differential
Full
Scheduled maintenance
Interruption to serivces
Importance of latest software updates
Virtual private networks (VPNs)
Honeypot
R10.4 Vulnerabilities within an Organization
Technical Vulnerabilities
Non-technical Vulnerabilities
Employees
Physical access controls
Compatibility if legacy systems
Fail-open electronic locks
Software no longer supported by supplier
Weak passwords
Out of date software/hardware/firmware
Missing authentication and authorization
Inadequate encryption (weak or outdated)
Exploitable bugs/zero-day bugs
Lack of recruitment screening
Competency levels of staff
Poor data/cyber hygiene (not archiving documents, accounts and access)
Not following policies and procedures
Door access codes not changed regularly
Using simple access codes and reusing access codes (1234)
No monitoring of access to secure areas
Unnecessary staff access to secure areas
R10.3 Threats that may cause damage to an Organization
Threats
Cyber security incidents
Facts and figures
Data breaches cost UK enterprises an average of $3.88 million per breach
33% of UK organizations say they lost customers after a data breach. 38% had lost business because of security issues
4,500 attempts of which were successful. Around 1.6 million of the 5.7 millions SMBs in the UK per year.
48% of UK organizations hit by ransomware in last year according to Sophos
One small business in UK successfully hacked every 19 seconds. Around 65,000 attempts to hack SMB
One in every 3,722 emails in UK is a phishing attempt, according to Symantec
Up to 88% of UK companies have suffered breaches in last 12 months
Hacking
Malware
Distributed denial-of-service (DDoS)
Malicious spam
Denial-of-service (DoS)
Non-technical threats
Botnets
Phishing
Human Error
DDoS
Trojans
Ransomware
SQL injection
Hacking
Keyloggers
Malicious employees
Quora Data Breach
COVID-19 testing delayed after Irish hospital hit by ransomware
AWS DDoS attack in 2020
Nordea Bank incident
LinkedIn data breach
ILOVEYOU virus
7-Eleven breach
DarkHotel
Yahoo departing employee stole trade secrets
R10.1 Types of Confidential Information Stored by Organizations
Human Resources
Commercially sensitive information
Access Information
Information held by HR is confidential, personal and should be stored following legislation guidelines
Information held includes:
Employee salaries and employee perks
Employment data and medical information
Salaries should only be known by employee and HR department
Illegal to pay different salaries based on gender
Data held by HR about salaries will also include national insurance number and tax codes
May include warnings about breaches of policy and disciplinary actions
Medical data will be stored as an employer as a duty of care, where required, adapted equipment and reasonable adaptions
Employment data include start date, qualifications, contact details, emergency contact details etc
Staff may also require time off to attend medical appointments related to any medical conditions
Includes
Profit margins
Contracts
Sales venue and stakeholder details
Trade secrets and intellectual property (IPA)
Client/customer details
Includes
Important that any access information is provided to staff at all levels and kept confidential to maintain security of workforce
Email accounts
Multi-factor authentication
Phone numbers
Passwords
Access codes
Many organizations will have a client relationship team that looks after clients so team will need to access this information
Customer details relate to those who buy goods or services
May include anyone who interacts with organization and should not be accessed by employees
Client details may include individuals, named representatives from different organizations etc
Information held by customers will include personal details like names, contact details and order history
Privacy and confidentially of client is not maintained organization may lose clients and customers as they expect their data to be safe and secure
Some organization may have policy of keeping stakeholders informed about sales numbers as it has a financial impact
Sales numbers can be used to determine goods that are bought and sold by organization, like low sales good may be reduced in price and no stocked again
Difference between price paid for goods and selling price, so when price of goods is reduced, profit margin reduces
Profit margin that is set on any goods supplied, should be kept confidential
Contact will be in place where goods are bought from a third party
Contract will usually include delivery time, quantity required and price to be paid. Details can be negotiated and should be kept confidential between two parties
Any breach in this could lead companies having a stronger negotiating power
If function of organization is to provide cloud-based services, software processes used b organization could be covered by IPA
When organization sells specific goods, can be classed as a trade secret, often apply to a patent
IPA covers software processes in addition to patents for tangible items
R10.2 The Principles of CIA/IAAA within digital systems
CIA
Confidentiality
Integrity
Model designed to guide policies for information security within an organization
Availability
Confidentiality measures are designed to prevent sensitive information from unauthorized access attempts
Common for data to be categorized according to the amount and type of damage that could be done if it fell into wrong hands
Involves maintaining consistency, accuracy and trustworthiness of data over its lifecycle
Data must not be changed in transit, steps must be taken to ensure data cannot be altered by unauthorized people
Information should be consistently and readily accessible for authorized parties
Involves properly maintain hardware and technical infrastructure and systems that hold and display the information
R10.5 Potential impacts of threats and vulnerabilities on organization
Common potential impacts
Corruption of a system or data
Damage to system operations
Overload of system to affect a service
Disclosure of private information and credentials
Unauthorized access to system or service
Unauthorized access to restricted physical environment
Loss of sensitive information
Essential security updates not installed