Security Architecture and Design
CYBER503x Cybersecurity Risk Management
Unit 1: The Evolving Risk Landscape in Cybersecurity
CYBER 503x Cybersecurity Risk Management | Tong Sun
Basic Terminologies (1)
• Computer Security • Information Security (InfoSec) • Cyber security • IT Security • Privacy
CYBER 503x Cybersecurity Risk Management | Tong Sun
Computer Security
• Measures and controls that ensures: • Confidentiality (C) – authorized access and disclosure • Integrity (I) – proper modification or destruction • Availability (A) – timely and reliable access to and use
• For computer system assets including: • Computing hardware devices, such as server machines, PC,
laptop, tablet, mobile phones; • Network devices, such as router, switch; • Embedded software, firmware and operating systems
CYBER 503x Cybersecurity Risk Management | Tong Sun
Information Security (InfoSec)
• The International Standards Organization (ISO) (2014) defines it as:
• “Preservation of confidentiality, integrity and availability (CIA) of Information.
• In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.”
CYBER 503x Cybersecurity Risk Management | Tong Sun
What is Cybersecurity?
• Many simply defines cybersecurity as a subset of InfoSec since it concerns with the “Information in Cyberspace”.
• But questions are: • What is cyberspace? • What are assets in cyberspace? What about non-information
based assets in cyberspace? • Are there any unique aspects of security in cyberspace? How is
it different from Computer Security and InfoSec?
CYBER 503x Cybersecurity Risk Management | Tong Sun
Cyberspace
• “Cyberspace is a time-dependent set of interconnected information systems and the humans that interact with these systems”. Ottis and Lorents (2010)
• It is a dynamic, evolving, virtual, connected, multilevel ecosystem of physical infrastructure, software, regulations, processes, and interactions influenced by an expanding population of contributors … who represent the range of human intentions.
CYBER 503x Cybersecurity Risk Management | Tong Sun
Assets in Cyberspace
• Information itself • Information infrastructure (e.g. Internet, embedded
software, firmware, communication protocols etc.) • Non-Information assets (physical entities connected on
Internet): • Critical infrastructure: energy grid, water supply, public health,
transportation, telecommunications, financial services, etc. • Internet of Things:
• Connected and self-driving vehicles • Connected medical devices • Connected home automation and entertainment systems
CYBER 503x Cybersecurity Risk Management | Tong Sun
Cybersecurity vs. InfoSec
CYBER 503x Cybersecurity Risk Management | Tong Sun
Connected Digital
Information
Non-Digital or Non-connected
Information
Things Other Than Information
Information Security (InfoSec)
Cyber Security
Cybersecurity vs. Computer Security
CYBER 503x Cybersecurity Risk Management | Tong Sun
Devices in Cyberspace
Devices Not Connected in Cyberspace
Things Other Than Information
Computer Security Cyber Security
IT Security
Digital Information
Non-Digital Information
Things Other Than
Information
Information Security (InfoSec)
Cyber Security
Devices in Cyberspace
Devices Not Connected in
Cyberspace
Computer Security
IT Security
Technical & Operational Aspects
IT Security vs. InfoSec
IT Security • Firewalls • Antivirus • Vulnerability Scans • Penetration Testing • Intrusion Detection • Computer Forensics • Access Control • Network Security • System Monitoring • Patch Management • Encryption
Information Security (InfoSec) • Intellectual property • Regulatory compliance • Business/financial integrity • Insider abuse • Industrial espionage • Data Privacy • Governance • Crisis Management • Business Continuity • Risk analysis • Organizational view
CYBER 503x Cybersecurity Risk Management | Tong Sun
Technology-oriented Business-oriented
Privacy concerns “Personal Information”
CYBER 503x Cybersecurity Risk Management | Tong Sun
Protection of Personal
Information
• Confidentiality • Integrity • Availability
• Collection • Access • Using & • Disclosing • Data quality • Anonymity
Privacy Security
Personal Information
• Anything that establishes a 1-to-1 relationship • “Telephone book” data may not seems to be particularly
“personal” • Unique identifiers: SSN, IP addresses, user names, etc. • Sensitive data such as personal healthcare records, things you
purchased, web site you visited, known your comings & goings, who you associate with, etc.
• Watch out for combinations of “innocuous” data, “87% of the US population are uniquely identified by {DOB, gender, zip code}”
CYBER 503x Cybersecurity Risk Management | Tong Sun
Basic Terminologies (2)
• Asset: any valuable thing in the organization • Vulnerability: any weakness of Asset • Threats/Attacks/Adversaries: The potential for an
actor with a certain motive to exercise a specific vulnerability
• Actor: person, organization, government (nation state) • Motivation: publicity, financial, political/religion • Capability: required knowledge, available tools
• Risk: Vulnerability exposed to Threat impacted Asset • Controls/Safeguards: counter-measures to reduce
Risk
The Illustration
Actor
Motivation
Capability
Asset Threat
Vulnerability
Risk
The Evolving Trends
CYBER 503x Cybersecurity Risk Management | Tong Sun
1990s 2000s 2010s 2020s Offenses
Defenses
• Virus • Worms • Open Nets • Insecure configs
Anti-Virus Firewalls Security guidelines
• Script Kiddies • Client-side attacks • Automated probes/scans • Too many alerts/logs
SEIM IDS Layered
• APTs • DDoS • Botnet • Phishing • Ransomware
EDR IdAM
increasing frequency & sophistication; more tools, technical knowledge decreasing
Vulnerability Management
Threat Management
Risk Management
Threats Attacks
Adversaries
Controls Safeguards
Age of “Protection” “Detection” “Response”
The Challenges Ahead:
• Increased external threat • Cyber threats multiplying • Disappearing perimeter • Growing attacking power of cyber criminals
• Increased internal pressure • Lack of agility • Lack of budget • Lack of skills • Human beings are still the weakest links
CYBER 503x Cybersecurity Risk Management | Tong Sun
Top Cyber Threats in 2020s
• The rise of attacks that cause the irreversible harms • The Sony Hack in December 2014, that disclose private and
sensitive information that can’t be pulled back – “confidentiality” under attacked
• Ransomware like WannaCry in May 2017, that encrypted healthcare data and paralyzed operations – “availability” under attacked
• Social engineering will become more prominent • Nearly 50% of alerts and logs never investigated • Dangers from and to the fast emerging AI systems.
CYBER 503x Cybersecurity Risk Management | Tong Sun
2020s: Age of Resilience
• Need solutions directly support: • Recovery • Agility • Usability • Automation • Learnability
CYBER 503x Cybersecurity Risk Management | Tong Sun
How are these “security” solutions?
• Removing Attacker Persistence • Easier or Automated Anomaly Detection • Built-in Visibility • Design usable security to better mitigate social
engineering attack • Learning to adapt to new attacker patterns
CYBER 503x Cybersecurity Risk Management | Tong Sun
The Evolving Trends
CYBER 503x Cybersecurity Risk Management | Tong Sun
1990s 2000s 2010s 2020s Offenses
Defenses
• Virus • Worms • Open Nets • Insecure configs
Anti-Virus Firewalls Security guidelines
• Script Kiddies • Client-side attacks • Automated probes/scans • Too many alerts/logs
SEIM IDS Layered
• APTs • DDoS • Botnet • Phishing • Ransomware
EDR IdAM
increasing frequency & sophistication; more tools, technical knowledge decreasing
Vulnerability Management
Threat Management
Risk Management
Threats Attacks
Adversaries
Controls Safeguards
Age of “Protection” “Detection” “Response”
Attacks causing Irreversible harm
Cyber resilience
Unchecked gaps
New threats from/to AI systems
- CYBER503x�Cybersecurity Risk Management
- Basic Terminologies (1)
- Computer Security
- Information Security (InfoSec)
- What is Cybersecurity?
- Cyberspace
- Assets in Cyberspace
- Cybersecurity vs. InfoSec
- Cybersecurity vs. Computer Security
- IT Security
- IT Security vs. InfoSec
- Privacy concerns “Personal Information”
- Personal Information
- Basic Terminologies (2)
- The Illustration
- The Evolving Trends
- The Challenges Ahead:
- Top Cyber Threats in 2020s
- 2020s: Age of Resilience
- How are these “security” solutions?
- The Evolving Trends