CS-205 Handouts

Information Security;

Protecting information and information systems from unathorized

access,use,disclosure,disruption,modification or destruction.(SANS)

*
IT security
is information security applied to technology

Information Security:
also covers physicall security,human resource security,legal & compilance,
organizational,and process related aspects

IT Security functions:

Network security
Systems security
Application & database security
Mobile security

InfoSec functions:
Governance
Policies & procedures
Risk management
Performance reviews

Cyber Security
Precautions taken to guard against unathorized access to data ( in electronic form) or
information systems connected to the internet
--prevention of crime related to the internet

*Three pillars of Information Security

confidentiality:Keeping information secret
integrity:keeping information in its original form
availabilty:Keeping information and information systems available for use

lec#4
who is information security for?
Personal:

Social media passwords and safe usage

Online banking and email account passwords
Home PC/laptop security
Mobile security

Organizational:

Board and executive leadership (management commitment)

CISO (responsible to drive security program)
IT staff and business users (following information security policies & procedures)

Govt and national:

Law enforcement
Legal and policy making
National database
Critical infrastructure
Regulation
Standards and certification
Capacity-building and coordination

Legal
Technical
Organizational
Capacity building
Cooperation
Pakistan ranked almost at the bottom of the table in International ranking by ITU
Information security is everyone’s responsibility
Pakistan Cyber Security Association (PCSA) formed to address Pakistan’s international ranking

lec 5
how is information security implemented?

Three pillars of information security:

People
Process
Technology

Image result for people process and technology picture

Leadership commitment:

“Tone at the top”

Information security policy and objectives
Assigning responsibility and authority
Resource allocation
Performance reviews
Ensuring accountability
Information Security Manager or CISO:

Heads department responsible for implementing information security program

Directs planning, implementation, measurement, review, and continual improvement of program
IT user:

Understand policies
Conduct security/risk assessment
Design effective security architecture
Develop SOPs and checklists
Implement controls
Report incidents
Conduct effective change management
Business user:

Security awareness and training

Follow information security policy
Develop and implement secure business processes
Role-based access control and periodic reviews
Reporting incidents
Information security program
Assessing security risks and gaps
Implementing security controls
Monitoring, measurement, & analysis
Management reviews and internal audit
Accreditation/testing

lec#6

who are the players in information security?

Government
Industry & sectors
International organizations
Professional associations
Academia and research organizations
Vendors and suppliers

Government:

Policy making
Law enforcement
Legal system
National cyber security strategy and standards
International coordination
Computer Incident Response Team (CIRT)

Industry & sectors:

Financial institutions
Telecoms
Armed forces
Federal and provincial IT boards
Enterprises
Various other sectors (manufacturing, automotive, health, insurance, etc)
International organizations:

APCERT (www.apcert.org)
European Union Agency for Network & Information Security - ENISA (www.enisa.org)
ITU IMPACT (http://www.impact-alliance.org)
https://www.itic.org/dotAsset/c/c/cc91d83a-e8a9-40ac-8d75-0f544ba41a71.pdf

Professional associations:

ISACA (isaca.org)
ISC2 (www.isc2.org)
OWASP (www.owasp.org)
Cloud Security Alliance
Pakistan Cyber Security Association (PCSA)
http://cybersecurityventures.com/cybersecurity-associations/

Academia & research organizations:

Universities and research programs

SANS (www.sans.org)
Center for Internet Security (www.cisecurity.org)
http://cybersecurityventures.com/cybersecurity-associations/

Lec # 7
WHAT ARE THE FOUR LAYERS OF INFORMATION SECURITY TRANSFORMATION .

1. Security hardening
2. Vulnerability management
3. Security engineering
4. Security governance
1: Security hardening:
 Compile IT assets
 Establish minimum security baseline (MSB)
 Research security controls and benchmarks
 Pilot (test)
 Implement controls
 Monitor and update controls
2: Vulnerability management:
 Purchase internal tool (NESSUS, Qualys, etc)
 Conduct vulnerability assessment
  Prioritize and remediate
 Report
 Repeat cycle on quarterly/monthly basis
3: Security engineering:
 Assess risk profile
 Research security solutions
 Design security architecture
 Implement security controls & solutions
 Test and validate security posture
4: Security governance:
 Policies and procedures
 Risk management
 Core governance activities (change management, incident management, internal audit)
 Training & awareness
 Performance reviews

Lec # 8
What is security hardening?
 IT assets (network, systems, application, databases, mobile, physical security) come with
default settings which are not suitable for security
 Security hardening is the process of configuring IT assets to maximize security of the IT
asset and minimize security risks
Security in the “trenches:”
 Security at the most fundamental operational layer
 Security where it matters most
 Usually (but not always) involves junior staff who need extra guidance, training, and
scrutiny
Why is security hardening at the first step in the security transformation model?
 Most basic security settings
 If not adequately addressed here, rest of the security measures hardly matter
Short example of Cisco router security hardening:
 Remote access through SSH and not through telnet
 Turn of all unused services
 Session timeout and password retry lockout
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

lec #9
.WHAT IS INFORMATION SECURITY GOVERNANCE ?

 Information security governance in simpler terms just means effective management of the
security program
  Responsibility for governance is associated with the Board and senior management
IT Governance Institute Definition:
"Security governance is the set of responsibilities and practices exercised by the board and
executive management, with the goal of providing strategic direction, ensuring that objectives
are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's
resources are used responsibly."
ISO27001:2013 – ISMS (Information Security Management System) is the world’s leading
and most widely adopted security governance standard.

ISO27001 "provides a model for establishing, implementing, operating, monitoring, reviewing,

maintaining and improving an information security management system.”
 Ten short clauses and a long Annex with 114 controls in 14 groups
 27000+ certifications globally in 2015

Lesson 10 :
Ch01.WHAT IS THE DIFFERENCE BETWEEN AN INFORMATION SECURITY POLICY,
SOP, ...

Policy:
Formal and high level requirement for securing the organization and its IT assets (mandatory)
https://www.linkedin.com/pulse/20140611162901-223517409-difference-between-guideline-
procedure-standard-and-policy
Policy:
 Scope is across organization so should be brief and focusing on desired results
 Signed off by senior management
Procedure / SOP:
 More detailed description of the process; who does what, when, and how
 Scope is predominantly at a department level having specified audience
 May be signed off by departmental head
https://www.slu.edu/its/policies
Guideline:
 General recommendation or statement of best practice
 Not mandatory
 Further elaborates the related SOP
https://www.slu.edu/its/policies
Standard:
 Specific and mandatory action or rule
 Must include one or more specifications for an IT asset or behavior
 Yardstick to help achieve the policy goals
https://www.slu.edu/its/policies
In practice:
  Policy recommended to be a single document applicable at the organizational level (wide
audience)
 Sub-policies may be defined at a departmental level
 Policies and standards are mandatory (exception approval)
Examples:
 Information security policy
 System administrator password sub-policy
 User ID & Access Management SOP
 Vulnerability Management standard
 Social engineering prevention guideline

Lec 11
What is information security programe?

Project definition:
A project has a defined start and end point and specific objectives that, when attained, signify
completion.
pmtips.net/blog-new/difference-projects-programmes
Program definition:
A program is defined as a group of related projects managed in a coordinated way to obtain
benefits not available from managing the projects individually.

pmtips.net/blog-new/difference-projects-programmes

Security program:
Sum-total of all activities planned and executed by the organization to meet its security
objectives.
pmtips.net/blog-new/difference-projects-programmes
https://www.gartner.com/doc/2708617/information-security-program-management-key
4 Layer Security Transformation Model
  4-layer security transformation model may be implemented as an ideal security program
 After establishing a basic policy, the sequence of the program (steps 1 through 4) is
paramount in order to achieve constructive results
Lec 12
 People, process, and technology are together referred to as the Information Security Triad
 All three aspects help to form a holistic view of Information Security
 All three are important and cannot be overlooked in an Information Security program or
activity
People:
People must be trained to effectively & correctly follow policies, information security processes,
and implement technology.
Social engineering and phishing are aspects that people must be trained to handle appropriately.
Processes are fundamental to effective information security

 User access management

 Backups
 Incident management
 Change management
 Vulnerability management
 Risk management

Technology plays a central role in the Information Security program:

 Firewalls
 Antivirus
 Email anti-spam filtering solution
 Web filtering solution
 Data loss prevention (DLP) solution
https://www.rsaconference.com/writable/presentations/file_upload/tech-203.pdf

lec 13
 The Information Security Manager (Head Of Information Security or CISO) is delegated
and authorized by senior management to run the Information Security program and meet
its objectives.
 The Information Security Manager develops a policy to regulate the Information Security
program which is signed off by senior management.
 Assigned resources and authority to plan, assess, implement, monitor, test, and accredit
the Information Security activities.
http://www.shortinfosec.net/2009/11/role-of-information-security-manager.html

InfoSec Manager Tasks:

 Develop policy
 Training & awareness
 Design security architecture
 Design security controls
 Ensure controls are implemented
 Conduct risk assessment
 Conduct security testing
 Monitor vulnerability management program
 Facilitate incident management process
 Sign-off critical change management activities

Lec 14
Ensure employees are aware of :
  The importance of protecting sensitive information
 What they should do to handle information securely
 Risks of mishandling information
REF: PCI Best Practices For Implementing Security Awareness
https://www.pcisecuritystandards.org/documents/

NIST Special Publication 800-50 (Building An IT Security Awareness & Training Program)
 Awareness
 Training
 Education
Awareness:
  Awareness is not training
 Purpose of awareness is simply to focus attention on security
 Change behavior or reinforce good security practices
REF: NIST SP800-50, PAGE 8

Training:
 “Strives to produce relevant and needed security skills and competencies”
 Seeks to teach skills
 E.g. IT Security course for system administrators covering all security aspects
REF: NIST SP800-50, PAGE 9

Education:
 Integrates all of the skills and competencies into a common body of knowledge
 E.g. a degree program

NIST-SP-800-50
IMPLEMENTATION STEPS

Don’ts:
 Share your password
 Click on suspicious email links
 Install unlicensed software on your PC
Do’s:
 Logout when getting up from your system
 Report security incidents
Lec 15
 A standard or framework is a blueprint or roadmap for achieving Information Security
objectives.
 Examples are ISO27001:2013 (ISMS), PCI DSS, & COBIT.
ISO27001:2013 (ISMS)
  Specifies the requirements for establishing, implementing, maintaining and continually
improving an information security management system
 Ten short clauses
 Long annex

ISO27001:2013 MANDATORY CLAUSES

https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20Security
%20Management%20System%20%28ISMS%29%20Overview.pdf
ISO27001:2013 DISCRETIONARY CONTROLS

https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20Security
%20Management%20System%20%28ISMS%29%20Overview.pdf
PCI Data Security Standard (DSS):

 Designed to ensure that ALL companies that accept, process, store or transmit credit card
information maintain a secure environment
 Managed by Security Standards Council
https://www.pcicomplianceguide.org/pci-faqs-2/

PCI DSS:

 SSC is an independent body that was created by the major payment card brands (Visa,
MasterCard, American Express, Discover and JCB
 6 Broad goals and 12 requirements
REF: PCI Best Practices For Implementing Security Awareness
https://www.pcisecuritystandards.org/documents/
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference
%20Guide.pdf

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference
%20Guide.pdf

COBIT:
 ISACA framework for IT Governance
 COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance
between realising benefits and optimising risk levels and resource use (ISACA)
 COBIT 5 brings together five principles that allow the enterprise to build an effective
governance and management framework (ISACA)
 Based on a holistic set of seven enablers that optimises IT investment and use for the
benefit of stakeholders (ISACA)
Lec 16
Risk is a fundamental concept that drives all security standards, frameworks, and activities
In simple terms, Information Security Risk refers to the potential damage or loss that may be
caused to an organization in the absence of appropriate controls

A process aimed at achieving an optimal balance between realizing opportunities for gain and
minimizing vulnerabilities and loss
Usually accomplished by ensuring that impact of threats exploiting vulnerabilities is within
acceptable limits at an acceptable cost

REF: ISACA CISM MANUAL

Risk is managed so that:
 It does not materially impact the business process in an adverse way
 Acceptable level of assurance and predictability to the desired outcomes of any
organizational activity

REF: ISACA CISM MANUAL

Risk Assessment:
 Foundation for effective risk management
 Solid understanding of the risk universe
 Nature and extent of risk to IT resources and potential impact on organizations activities
REF: ISACA CISM MANUAL
REF: ISACA CISM MANUAL

Challenges with risk focused approach:

 In an environment where controls are absent, a risk based approach may become too
academic
 Effort should focus on 4-Step Security Transformation Framework

Lec 17

What is management commitment ?

Management commitment is the expression of the intent, relevant actions, and allocation of
sufficient resources to ensure the InfoSec program is properly implemented.
ISO2700:2013 (ISMS) Clause 5.1:
a. Policy and objectives are established (compatible with strategic direction)
b. Integration of ISMS reqmts into processes
c. Resources
d. Communicating importance
e. Intended outcomes are achieved
 f. Directing and supporting persons
g. Promoting continual improvement
h. Supporting other management roles
“Tone at the top”
 Management closely watches the actions of executive leadership (culture)
 The importance given to InfoSec by the executive leadership becomes the minimum
threshold for rest of the organization

In practice:
 Security policy
 Security responsibility delegated to head (CISO) or dept
 Security steering committee (board level)
 Quarterly or frequent management reviews of information security program
Lec 18
Default organizational perception:
 Security is responsibility of one person or one department
 Can get away with “security as an after-thought”
 Reactive
Security is everyone’s responsibility:

 Management commitment & tone at the top

 Security awareness campaigns/program
 A strong and effective security program
 Allocation of sufficient resources
Security involvement & accountability:
 Effective security implementation should be built into the performance KPIs of key team
members (management, technical, business)
 Annual appraisals, security awards and recognition
Security is everyone’s responsibility and has to gradually take its place in org culture

Lec 19
 Fox News Video: “World’s Biggest Cyber Attacks”

http://video.foxnews.com/v/5435057924001/?#sp=show-clips

 World’s Biggest Data Breaches:

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Leading Global Reports:

 Verizon 2017 Data Breach Investigations Report (DBIR)
 Symantec 2017 Internet Security Threat Report (ISTR)
Lec 20

Challenges Of IT:

 Complex and difficult to manage

 Under pressure from business groups
 Lack of sufficient competent resources
 Lack of process culture
 IT not aligned to perform diligent security work
Challenges Of InfoSec:
 Silos & lack of coherent ownership
 Lot of time & energy wasted in traversing dept boundaries
 Enabling environment for tough security work missing
 Security hardening glaringly absent
Pakistan Industry Security Characteristics:

 Wavering management commitment

 Superficial “dressing” security
 Reactive to regulator audit/compliance mandate
 Industry in denial

InfoSec
Transformation Model
Lec21
 Cyber attack can have devastating consequences causing financial loss and disruption of
critical infrastructure
 Cyber security has become a key risk factor putting under threat not only consumer rights
protection, but also viability and health of the industry itself
A cybersecurity regulation comprises directives that safeguard information
technology and computer systems with the purpose of forcing companies and organizations to
protect their systems and information from cyber-attacks (Wikipedia).
Industry regulators including banking regulators have taken notice of the risk from cybersecurity
and have either begun or are planning to begin to include cybersecurity as an aspect of regulatory
examinations (Wikipedia)
Role Of Regulator In Cyber Security:
 Regulations, guidelines, and audit
 Engagement of key stakeholders
 Technical and industry expertise
 Regional and international cooperation
Regionally, the most well developed cyber security strategy and framework developed by
Singapore (ITU rank # 1), Malaysia (ITU rank # 3), and Oman (ITU rank # 4)
Singapore:
 Cyber Security Agency (2015); strategy, education, outreach, eco-system development
 National Cyber Security Master Plan 2018 (created 2013)
 Cyber Security Strategy (created 2016)

Pakistan; Ministry of IT (MOIT):

 National IT Policy 2016 (draft)
 Digital Pakistan Policy 2017
Pakistan; State Bank Of Pakistan (SBP):
 Enterprise Technology Governance & Risk Management Framework for Financial
Institutions (30 May 2017)
Pakistan lacks:
 National cyber security strategy
  National cyber security master plan
 National cyber security agency
 National certification & accreditation body
 National Computer Emergency Response Team (CERT)

Lec 22
 Pakistan Electronic Crimes Act (PECA) enacted as late as 2016
 Cyber security strategy, eco-system still missing
 Research program, capacity building, standardization, & certification bodies absent
 Condition of InfoSec in industry largely dismal

Global Cyber Security Index 2017 (ITU):

Pakistan ranked 67th with a score of 0.44/1

Bangladesh ranked 53rd with a score of 0.524/1
India ranked 23rd with a score of 0.683/1
https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf
Pakistan cyber security posture (industry):
  Superficial security
 Reactive
 Emphasis on governance
 Security hardening of IT assets largely absent
 Industry has been in denial for last decade
Reasons for poor security posture:
 Archaic digitalization and commerce
 Perception that Pakistan is immune
 Lack of awareness and management commitment
 Lack of effective regulations
Changing dynamics (PK):
 Pakistan financial industry rocked by Bangladesh SWIFT hack 2016
 Wannacry (May 2017) badly hit several dozen organizations in Pakistan
 Increasing e-commerce, electronic banking
Pakistan needs:
 Necessary measures by the Government in line with what Malaysia, Oman have done for
cyber security
 Development of the security eco-system as an enabler in order to drive strong security
posture

Lec 23
 Generally, Pakistan Information Security is one generation behind IT deployment
 Four-layer security transformation model provides the correct sequence and focus in
order to address organizational security gaps
 1. Security Hardening; Security controls on IT assets & process
2. Vulnerability Management; patching
3. Security Engineering; More complex security design & solutions
4. Security Governance; Managing the information security program
Solution for strong security posture:
 Management commitment (Board)
 4 layer transformation model as security program
  Allocation of resources
 Periodic reviews for assessing progress
Don’t repeat the same mistakes:
 Too much governance without the underlying security hardening
 Reactive rather than intrinsic
 Lack of resources (10% of what allocated for IT)
 Management interest

Lec 24
Chapter 2:
Typical Enterprise IT Architecture & Security Overlay
What does a typical enterprise IT network look like ?
 Edge router
 NGN FW
 DMZ:
 Web security GW/Proxy
 Application security FW
 Web server
 Email antispam GW
 IPS & N-DLP
 Distribution switch
 Data center switch & FW
 Access switch
  NAC
 SOC:
 SIEM
 VM
 Other SOC tools
 System AV
 Server HIPS
 UTM
 Mobile device - MDM

Lec 25
Major Components: Enterprise IT Network

Edge router
 WAN interfaces
 Edge filtering (access lists)
 DDOS protection
NGN FW
 Capable of APT attack prevention, malware filtering, web security, email security,
application bandwidth filtering
DMZ:
 Security zone with placement of published web server, web & email security GWs, app
security GW
IPS:
 Intrusion prevention (signature based)
 May be feature in NGN-FW

Distribution switch
 Connectivity to access switches, external exit point (WAN), and DC switch
Data center switch & FW
 Data center filtering (malware & access-lists)
Access switch
 User connectivity
  Switchport security & access switch security
NAC
 Network admission control (IEEE802.1X)
SIEM
 Logging & dashboard for events, root cause analysis, event correlation

Vulnerability Manager
 Vulnerability scanning and asset tracking
System AV
 Signature based malware prevention
Server HIPS
 IPS features for servers, also file integrity checking

UTM
 Multi-featured NGN FW device
Mobile device – MDM
 Security features for mobile devices

Lec 26

OSI Security Architecture

 ITU-T X.800, Security Architecture For OSI (‘91)

 Defines a technique for defining security requirements, and characterizes the approaches
to satisfy those requirements
 Defines security attack, mechanism, and service
http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf
https://cgi.csc.liv.ac.uk/~alexei/COMP522_10/COMP522-SecurityArchitecture_07.pdf

Security attack: action that compromises the security of information owned by an organization
(or person)
 Passive: aims to learn or make use of system information only
 Active: attempts to alter system resources/operation
https://cgi.csc.liv.ac.uk/~alexei/COMP522_10/COMP522-SecurityArchitecture_07.pdf

Security service is a service that ensures adequate security of the system or data transfer
 Authentication
 Access control
 Data confidentiality
 Data integrity
 Non-repudiation
 Availability
https://cgi.csc.liv.ac.uk/~alexei/COMP522_10/COMP522-SecurityArchitecture_07.pdf
http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf

Security mechanism:
 Feature designed to detect, prevent, or recover from a security attack
 Cryptography underlies many of the mechanisms
http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf
http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf
http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf

ITU-T X.800, Security Architecture For OSI is dated from 1991

Lec 27
New IT Frontiers: Cloud, Mobile, Social, IOT

 IT dynamics are changing the way we communicate, work, and live

 These disruptive new IT frontiers have significant security consequences
https://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
https://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
https://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
https://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf

For cloud, mobile, and IOT security guidance, checklists, and other details visit:
 www.cloudsecurityalliance.org
 www.owasp.org
Useful URLs:
 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
 https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
 https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/
csaguide.v3.0.pdf
 https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance_v1.pdf
 https://downloads.cloudsecurityalliance.org/assets/research/mobile/
MAST_White_Paper.pdf
  https://downloads.cloudsecurityalliance.org/whitepapers/
Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
 https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/connected-
vehicle-security.pdf

lec 28
Virtualization Environment Security

Cloud Security Alliance: “Best Practices For Mitigating Risks In Virtual Environments” (PDF)
Virtualization security classified into three areas:
 Architectural
 Hypervisor software
 Configuration
 1. VM Sprawl
2. Sensitive data within VM
3. Security of offline and dormant VMs
4. Security of Pre-configured (Golden Image) VMs
5. Lack of visibility into virtual networks

Risk # 1 (VM Sprawl)

 Impact: VMs can be created quickly, self-provisioned, or moved between physical
servers, avoiding conventional change management process
 Proliferation of VMs causing performance and security risks
 Controls: Policies, procedures and governance of VM lifecycle management
  Control creation, storage and use of VM images with a formal change management
process
 Discover VMs & apply security controls
 Controls: keep a small number of identified, good and patched images of a guest
operating system separately for fast recovery & restoration of systems

Risk # 2 (Sensitive Data Within a VM)

 Impact: VM images and snapshots can be copied easily via USB or console of hypervisor
installed elsewhere
 Controls: Encrypt data stored on virtual and cloud servers
 Policies to restrict storage of VM images and snapshots
 Image change management process with approvals
 Logging & monitoring

Lec 32
Structure Of An IT Team

 Typical organogram of an IT team

 Job functions
 Additional tasks
 Large sized org
 Medium sized org
 Small sized org

GENERAL STRUCTURE
 JOB FUNCTIONS

ADDITIONAL TASKS
LARGE ORG
(150 IT Staff)
  IT teams come in various structures, however there are set industry best-practices and
organizations should follow tried & tested best-practices
 IT is today an enabler forming the engine for business automation, but also carries with it
security hazards

Lec 33
Objectives, Performance KPIs, Priorities Of IT
 IT is a challenging domain which requires skill, experience, structure, and spending to
run efficiently
 Business is making steep demands on IT for agile delivery of applications in order to
keep up with competition
 Running IT requires a diverse skillset
Primary objective set for IT by management is to:
  Setup the infrastructure with least cost in the minimum time
 To maintain the network with minimum disruption and maximum performance requiring
the least resources
Performance KPIs:
 Minimal network disruption
 Timely completion of new projects
 Quick and efficient changes to existing applications (change-requests) to meet business
requirements
Priorities of IT:
 To meet the performance KPIs
 To meet adhoc and unplanned business requirements
Note that security figures nowhere in the objectives, performance KPIs, or priorities of IT
teams

General IT teams performance in Banking:

 Extremely large number of applications (hundreds) & legacy
 Heavy-weight business teams and IT seen as a cost-center
 Technologists generally poor at banking (business)

General IT teams performance in Telcos:

 More professional and qualified workforce
 Most telco have been setup in the last 10 years so have clean greenfield networks (no
legacy)
 Fewer applications; IT supports business
General IT teams performance in Enterprise:
 Competence and professionalism of IT teams matches culture of organization
 IT efficiency driven by top management commitment and interest
Security posture:
 Surprisingly in 95% of all orgs in Pakistan (all types and sizes), security posture has been
found to be deficient
  Lack of awareness in the country has contributed to this deficient and poor security
posture
Lec 34
IT Team Interaction With Other Stakeholders
 IT budget/projects approved by IT Steering Committee (annual)
 Business requirements & new projects
 Audit & compliance requirements
 Expansion (branches) & maintenance
 IT support for computing (helpdesk)
 Business continuity & DR
IT budget/projects approved by IT Steering Committee (annual):
 Capex and opex layout
 Includes new projects & licensing / maintenance of operations
 New hirings
Business requirements & new projects:
 New upcoming business projects
 Change requests (CRs) and expansion of existing business projects
 Vendor management for business solutions
 UAT (testing) of business applications
Audit & compliance requirements:

 External audit
 Internal audit
 Compliance
 Information security & risk depts
Expansion (branches) & maintenance:
 IT requirements for business expansion (new branches, new locations, new territories)
 Maintenance of existing IT infrastructure (UPS, networking, bandwidth circuits)
IT support for computing (helpdesk):
  New software and versions rollout (e.g. migration of AV or email program)
 IT support for business functions (application not working, speed slow, etc)
 Software bugs
Business continuity & DR:
 DR is a technology function for which interaction with business functions is required
(testing)
 Business continuity is handled under business operations for which IT also participates

Lec 35
Security Overlay Of Enterprise (Part 1)

How is the enterprise secured with the help of various components and security design ?
 How is the
enterprise secured with the help of various components and security design?

Lec 38
•What is high availability (HA) ?
–High availability of a system or component assures a high level of operational performance
(uptime) for a given period of time
•High availability is a strategy
•Fault tolerance refers to a system designed in such a way that when one component fails, a
backup component takes over operations immediately to avoid loss of service
•High availability is designed in the following manner:
–System level (data center or service)
–Device level (within single device)
–Device level (combination of multiple redundant devices)
–Alternate site level
•High availability and fault tolerance:
–Designed to minimize downtime with the help of redundant components
•Disaster Recovery:
– A pre-planned approach for re-establishing IT functions at an alternate site

Lec 39
•Three types of redundant site models:
•Hot site
•Cold site
•Warm site

•Hot site (expensive):

–Mirror of primary data center
–Populated with servers, cooling, power, and office space
–Running concurrently with main/primary data center (synching)
Minimal impact

•Cold site (cheapest):

–Office or data center space without any server related equipment installed
–Power, cooling and office space
–Servers/equipment migrated in event of primary site failure

•Warm site (middle ground):

–Middle ground between hot site and cold site
–Some pre-installed server hardware (ready for installation of production environments)
–Requires engineering support to activate

•RTO:
–Max amount of time, following a disaster, for an organization to recover files from backup
storage and resume normal operations (max amount of downtime an organization can handle)

•RPO:
–Max age of files that an organization must recover from backup storage for normal operations
to resume after a disaster (minimum frequency of backups)

•Example:
–If an organization has an RTO of two hours, it cannot be down for longer than that.
–if an organization has an RPO of four hours, the system must back up at least every four hours.

Lec

•Backup considerations:
–What to backup ?
–Backup location ?
–Freq of backup ?
–Backup operator ?
–Backup checker (verification) ?
–Backup test & security methods ?
–Technology & tools used for backup ?
•What to backup ?
–Network configuration files
–OS backups
–Database & application data
–Other critical data

•Backup location ?
–Onsite for faster recovery
–Offsite for DR purposes
–Intermediate site (secondary site) as a middle-ground

•Backup frequency ?
–Depends entirely on criticality of data, nature of the information being backed up (how
frequently does info change ?), storage space available, and overall backup plan
•Backup operator and checker ?
–Backups should ideally be automated
–Operator should ensure that backups have taken place
–Verifier should sign-off that check has been made

•Backup testing & security considerations:

–Backup testing should be performed on a periodic basis and greater than the frequency of the
DR drill (e.g. DR drill once a QTR, & testing once a month)
–Encryption & compression
•Backup tools and technology:
–Consider NAS, SAN, SCSI/IDE/SATA drives
–Various tools and technology to perform full, differential, and incremental backups
–Encryption
–Access control
–Alerts & reporting

Lec 43

•Typical security tools used in an enterprise:

–Enterprise antivirus
–MS Active Directory (AD)
–Vulnerability manager
–Logs management
–Network & performance monitoring
–Automated backups

•Typical security tools used in an enterprise:

–Microsoft Windows Server Update (WSUS) & SCM/SCCM
–Asset management software
–Trouble-ticket system
–SIEM
–DLP
–Encryption software
–2FA
•Lots of tools available
•People, process, technology

Lec 44
•“Box Security” refers to a prevalent approach in the industry, especially in larger organizations
in which the solution for every security challenge is in the form of a “box” or device
•Box for :
–Email security
–Web security
–FW
–IPS
–APT attack prevention
–DDOS prevention
–Network DLP
–Network Forensics
–Others

•Security is a combination of people, process, and technology

•Industry observation: most of the devices are not used to full capability or capacity after
purchase
•Case in point: SIEM solution or DB security solution
•“Box security” is not the silver bullet
•Although many devices and boxes are required, they do not ensure a good security posture
•This approach is unfortunately promoted by many vendors who have equipment to sell
•Consider organizational maturity & readiness

•Other challenges with “box security” approach:

–Shortage of staff (IT & security)
–Training and skill required to operate the sophisticated devices and features
•Device objectives, and high-level-design (HLD) should be planned prior to commissioning
•Min operational baseline and configuration should be documented in SOP
•Device feature set and configuration audits should be conducted on a periodic basis (annual)

Lec 48
•What is a disaster ?
–Any significant event that causes disruption of information technology processing facilities,
thus affecting the operations of the business

•What is disaster recovery (DR) ?

–DR is an area of security that allows an organization to maintain or quickly resume mission-
critical (IT) functions following a disaster
•What could cause the invocation of a DR failover to DR site ?
–Natural disasters such as flood, earthquake, lightning, storm
–Disaster caused by human actions such as riot, fire, terrorist act, etc
•What is the difference between DR and business continuity (BC)?
–DR is an IT function, whereas business continuity addresses keeping all essential aspects of a
business functioning despite disruptive events (DR is a part of BC)

•Three step process:

–Failover to the DR site (DR invocation)
–Restoration of the services/facilities on primary site
–Recovery (switchover back to primary site)
•What is a DR plan ?
–A documented, structured approach to dealing with unplanned incidents
•DR plan checklist:
–Scope of the activity
–Gathering relevant network infrastructure documents
–Identifying the most serious threats and vulnerabilities, and the most critical assets

–Identifying current DR strategies

–Identifying emergency response team
–Management review & approval of DR plan
–Testing the plan (drill)
–Updating the plan
–Implementing a DR plan audit
•Sample DR plan template:
–http://www.it.miami.edu/_assets/pdf/security/ITPol_A135-Disaster%20Recovery%20Plan
%20Example%202.pdf

•What is business continuity ?

–Business Continuity (BC) is the capability of the org to continue delivery of products or
services at acceptable predefined levels following a disruptive incident (Source: ISO
22301:2012)

•What is business continuity management?

–Holistic management process that identifies potential threats to an organization and the impacts
to business operations those threats, if realized, might cause, and which provides a …

•What is business continuity management?

–…framework for building org resilience with an effective response that safeguards interests of
key stakeholders, reputation, brand and value-creating activities. (Source: ISO 22301:2012)
•What is a BC plan ?
–A document that consists of critical information an organization needs to continue operating
during an unplanned event

•What is a BC plan ?
–The BCP should state essential functions of the business, identify which systems and processes
must be sustained, & detail how to maintain them. It should take into account any possible
business disruption.

Lec 52
•What is an IT asset ?
–An IT asset is any resource such as hardware, software, information, human resource, or facility
owned or utilized by the organization for IT processing.
•Asset Owner: a person in the org responsible for managing an asset (e.g. for laptop)
•Risk owner: manages risks associated with the IT asset. Authorized to make decisions
associated with managing risks, and in a management position

•Acceptable Use (Of IT Assets):

–Laptops
–Mobiles
–Web browsing
–Email usage
–Servers
–Company data