Security Architecture and Design

profileDivya Reddy
CYBER_503x_Unit_1.pdf

CYBER503x Cybersecurity Risk Management

Unit 1: The Evolving Risk Landscape in Cybersecurity

CYBER 503x Cybersecurity Risk Management | Tong Sun

Basic Terminologies (1)

• Computer Security • Information Security (InfoSec) • Cyber security • IT Security • Privacy

CYBER 503x Cybersecurity Risk Management | Tong Sun

Computer Security

• Measures and controls that ensures: • Confidentiality (C) – authorized access and disclosure • Integrity (I) – proper modification or destruction • Availability (A) – timely and reliable access to and use

• For computer system assets including: • Computing hardware devices, such as server machines, PC,

laptop, tablet, mobile phones; • Network devices, such as router, switch; • Embedded software, firmware and operating systems

CYBER 503x Cybersecurity Risk Management | Tong Sun

Information Security (InfoSec)

• The International Standards Organization (ISO) (2014) defines it as:

• “Preservation of confidentiality, integrity and availability (CIA) of Information.

• In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.”

CYBER 503x Cybersecurity Risk Management | Tong Sun

What is Cybersecurity?

• Many simply defines cybersecurity as a subset of InfoSec since it concerns with the “Information in Cyberspace”.

• But questions are: • What is cyberspace? • What are assets in cyberspace? What about non-information

based assets in cyberspace? • Are there any unique aspects of security in cyberspace? How is

it different from Computer Security and InfoSec?

CYBER 503x Cybersecurity Risk Management | Tong Sun

Cyberspace

• “Cyberspace is a time-dependent set of interconnected information systems and the humans that interact with these systems”. Ottis and Lorents (2010)

• It is a dynamic, evolving, virtual, connected, multilevel ecosystem of physical infrastructure, software, regulations, processes, and interactions influenced by an expanding population of contributors … who represent the range of human intentions.

CYBER 503x Cybersecurity Risk Management | Tong Sun

Assets in Cyberspace

• Information itself • Information infrastructure (e.g. Internet, embedded

software, firmware, communication protocols etc.) • Non-Information assets (physical entities connected on

Internet): • Critical infrastructure: energy grid, water supply, public health,

transportation, telecommunications, financial services, etc. • Internet of Things:

• Connected and self-driving vehicles • Connected medical devices • Connected home automation and entertainment systems

CYBER 503x Cybersecurity Risk Management | Tong Sun

Cybersecurity vs. InfoSec

CYBER 503x Cybersecurity Risk Management | Tong Sun

Connected Digital

Information

Non-Digital or Non-connected

Information

Things Other Than Information

Information Security (InfoSec)

Cyber Security

Cybersecurity vs. Computer Security

CYBER 503x Cybersecurity Risk Management | Tong Sun

Devices in Cyberspace

Devices Not Connected in Cyberspace

Things Other Than Information

Computer Security Cyber Security

IT Security

Digital Information

Non-Digital Information

Things Other Than

Information

Information Security (InfoSec)

Cyber Security

Devices in Cyberspace

Devices Not Connected in

Cyberspace

Computer Security

IT Security

Technical & Operational Aspects

IT Security vs. InfoSec

IT Security • Firewalls • Antivirus • Vulnerability Scans • Penetration Testing • Intrusion Detection • Computer Forensics • Access Control • Network Security • System Monitoring • Patch Management • Encryption

Information Security (InfoSec) • Intellectual property • Regulatory compliance • Business/financial integrity • Insider abuse • Industrial espionage • Data Privacy • Governance • Crisis Management • Business Continuity • Risk analysis • Organizational view

CYBER 503x Cybersecurity Risk Management | Tong Sun

Technology-oriented Business-oriented

Privacy concerns “Personal Information”

CYBER 503x Cybersecurity Risk Management | Tong Sun

Protection of Personal

Information

• Confidentiality • Integrity • Availability

• Collection • Access • Using & • Disclosing • Data quality • Anonymity

Privacy Security

Personal Information

• Anything that establishes a 1-to-1 relationship • “Telephone book” data may not seems to be particularly

“personal” • Unique identifiers: SSN, IP addresses, user names, etc. • Sensitive data such as personal healthcare records, things you

purchased, web site you visited, known your comings & goings, who you associate with, etc.

• Watch out for combinations of “innocuous” data, “87% of the US population are uniquely identified by {DOB, gender, zip code}”

CYBER 503x Cybersecurity Risk Management | Tong Sun

Basic Terminologies (2)

• Asset: any valuable thing in the organization • Vulnerability: any weakness of Asset • Threats/Attacks/Adversaries: The potential for an

actor with a certain motive to exercise a specific vulnerability

• Actor: person, organization, government (nation state) • Motivation: publicity, financial, political/religion • Capability: required knowledge, available tools

• Risk: Vulnerability exposed to Threat impacted Asset • Controls/Safeguards: counter-measures to reduce

Risk

The Illustration

Actor

Motivation

Capability

Asset Threat

Vulnerability

Risk

The Evolving Trends

CYBER 503x Cybersecurity Risk Management | Tong Sun

1990s 2000s 2010s 2020s Offenses

Defenses

• Virus • Worms • Open Nets • Insecure configs

 Anti-Virus  Firewalls  Security guidelines

• Script Kiddies • Client-side attacks • Automated probes/scans • Too many alerts/logs

 SEIM  IDS  Layered

• APTs • DDoS • Botnet • Phishing • Ransomware

 EDR  IdAM

increasing frequency & sophistication; more tools, technical knowledge decreasing

Vulnerability Management

Threat Management

Risk Management

Threats Attacks

Adversaries

Controls Safeguards

Age of “Protection” “Detection” “Response”

The Challenges Ahead:

• Increased external threat • Cyber threats multiplying • Disappearing perimeter • Growing attacking power of cyber criminals

• Increased internal pressure • Lack of agility • Lack of budget • Lack of skills • Human beings are still the weakest links

CYBER 503x Cybersecurity Risk Management | Tong Sun

Top Cyber Threats in 2020s

• The rise of attacks that cause the irreversible harms • The Sony Hack in December 2014, that disclose private and

sensitive information that can’t be pulled back – “confidentiality” under attacked

• Ransomware like WannaCry in May 2017, that encrypted healthcare data and paralyzed operations – “availability” under attacked

• Social engineering will become more prominent • Nearly 50% of alerts and logs never investigated • Dangers from and to the fast emerging AI systems.

CYBER 503x Cybersecurity Risk Management | Tong Sun

2020s: Age of Resilience

• Need solutions directly support: • Recovery • Agility • Usability • Automation • Learnability

CYBER 503x Cybersecurity Risk Management | Tong Sun

How are these “security” solutions?

• Removing Attacker Persistence • Easier or Automated Anomaly Detection • Built-in Visibility • Design usable security to better mitigate social

engineering attack • Learning to adapt to new attacker patterns

CYBER 503x Cybersecurity Risk Management | Tong Sun

The Evolving Trends

CYBER 503x Cybersecurity Risk Management | Tong Sun

1990s 2000s 2010s 2020s Offenses

Defenses

• Virus • Worms • Open Nets • Insecure configs

 Anti-Virus  Firewalls  Security guidelines

• Script Kiddies • Client-side attacks • Automated probes/scans • Too many alerts/logs

 SEIM  IDS  Layered

• APTs • DDoS • Botnet • Phishing • Ransomware

 EDR  IdAM

increasing frequency & sophistication; more tools, technical knowledge decreasing

Vulnerability Management

Threat Management

Risk Management

Threats Attacks

Adversaries

Controls Safeguards

Age of “Protection” “Detection” “Response”

Attacks causing Irreversible harm

Cyber resilience

Unchecked gaps

New threats from/to AI systems

  • CYBER503x�Cybersecurity Risk Management
  • Basic Terminologies (1)
  • Computer Security
  • Information Security (InfoSec)
  • What is Cybersecurity?
  • Cyberspace
  • Assets in Cyberspace
  • Cybersecurity vs. InfoSec
  • Cybersecurity vs. Computer Security
  • IT Security
  • IT Security vs. InfoSec
  • Privacy concerns “Personal Information”
  • Personal Information
  • Basic Terminologies (2)
  • The Illustration
  • The Evolving Trends
  • The Challenges Ahead:
  • Top Cyber Threats in 2020s
  • 2020s: Age of Resilience
  • How are these “security” solutions?
  • The Evolving Trends