Week 7

Week7
‫ساليدات‬
!> ‫ عشر‬Uu!Securing
‫اول‬Securing offecis +Iockes
+lockes
A web cacne is me temporary storage of web documents, sucn as
HTML pages, images, and downloads
•A data cache is the temporary storage of data tnat has recently been
read and insome cases, adjacentc ata areas that are likely to be
accessed next.

Authorizing Entry
• Access control rules snould be designed for:
• Employees
• Third-party (contractors/panners/vendors)
• Visitors
• Physical entry/access controls (rules):
• Autnorized users should be authorized prior to paining access
to protected area
• Visitors should be identified, labeled, and authorized prior to
gaining access to protected area

How Is Physical Access Controlled?

• Physical entry and exit controls:
Depending on the site and level of security required available access
controls (camera, lochs, etc) can be selected from
• Authorizing Entry (building access
• Securing Offices, Rooms, and Facilities (within the bu ilding)
• Working in Secure Areas
• Ensuring clear desks and screens
 Week99
Week

StandardOperating Procedures (SOPs)

• SOPs aredetailed explanations of how to performa task
• SOPs provide; standardized direction, improved communication,
reduced training time and improved work consistency
• Effective SOPS include:
• Who performs the task
• What materials are necessary
• wnere thetasK takes place
• When thetask should be performed
• How the person is to execute the task

Developing S..Ps
•There arefour common SOP formats:
• Simple step
• Procedure contains less than 10 steps
• Does notinvolve many decisions
• Hierarchical/Graphic
• Procedure contains more than 10 steps
• Does notinvolve many decisions
• Flowchart
• Procedure can contain any number ofsteps
• Involves many decisions
 ‫تعريف‬
security patch =-*°.._x^

Why Is Patching Handled Differently?

• Patch !s software or code designed tofixa problem
• Applying security patches is the primary method offixing security
vulnerabilities in software
• Patches need tobe applied quickly to prevent attackers from
exploiting code and information
• Patch management is the process of scheduling. testing, approving,
and applying security patches
• Patch ing can be unpredictable and disruptive
• User snould be notified of potential downti me due to patcni nstallation

‫تعريفها وخطواتها جداا مهمه‬

Operational Change Control
• Change control:
• An internal procedure in which authorized changes are made.
• Managing change allows organizations to be productive
and spend less time in crisis mode.
• E.g. An operating system fails to be updated completely to the
new version nor is it still original version this resultsin an
unstable platform nindering tne productivity of the entire
company

perational Change Control

• The change control process:

1. Submittinga Request For Change (RFC)
2. Developinga change contro! plan
3. Communicating change
4.! mplementing& monitoring change
 Malware Protection
• Malware (malicious software) is designed to:
• disrupt computer operation
• gather sensitive information
• or gain unauthorized access tocomputer systems and mobile
devices
• Malware can infect system by being bundled with other programs
or self-replicated
• Most malware typically requires user interaction such as:
• Clicking an email
• Connecting to the internet
 Week 10
Week 10
What Is Authorization?
• The process of assigning authenticated subjects
permission to carry outa specific operation.
• The authorization model defines how access rights and
permission are granted.
•Three primary authorization models
1. Object capability
• Used prog rammatically and based Dn a combi nation Dfa
unforgettable reference and an operational message

2.Security labels
• Mandatory access controls embedaea in object ana subject
propenies
3. Access Control Lists
• Used toaetermine access based on some criteria such asa
user ID group membersnip, classification, location, address,
and date

What Isa Security Posture?

•The security posture of an organization determines

the default settings for access controls

• Network segmentation
• Tne process of logically grouping netwoix assets. resources, and
applications
• Type ofnetwork segmentation
• Enclave network
• Trusted network
• Semi-trusted network, perimeter network. or DMZ
• Guest network
• Untrusted network
 ‫مهم جداااا‬
• Intrusion detection systems - (IDSs)
• are passive devices designed to analyze network traffic in order to
detect unauthorized access or malevolent activity.
• Most IDSs use multiple methods to detect threats, including
signature-based detection, anomaly-based detection and stateful
protocol analysis.
• If suspicious activity is detected, IDSs generate an onscreen, email,
and/or text alert.
• Intrusion prevention systems (IPSs)
• are active devices tnat sit inline with traWic flow and can respond to
identified threats by disabling the connection, dropping the packet, or
deleting the malicious content

Week 11
Week 11
• Digital signature:
•A hasn value tnat has been encrypted with the sender's private key
• I nsures nonrepudiation and data integrity
• Does notinsure data confidentiality

What Is SDLC?
• Systems development lifecycle (SDLC) provides a standard
process forany system development
• There are five phases inthe SDLC according toN IST
1. Initiation phase
• Establishes the need fora system and documents its purpose
2. Development /acquisition phase
• The system is designed, purchased, programmed, ordeveloped
 3. Implementation phase
• The system is tested and retested, and any modifications are applied until it
is accepted

4. Operational phase
• The system inputinto production-should include monitoring, auditing, testing

5. Disposal phase
• Ensure theorderly termination of the system

• The process of creatinga numeric value that represents the original

text
• It is a one-way process
• Provides integrity confidentiality and authentication

• Containment includes taking the steps neoessary to prevent the

incident from spreading, and as much as possible limit the potential for
further damage.
• Eradication and recovRry include the elimination of the components
ofthe incident (for example, malicious code, compromised passwords),
addressing the vulnerabilities related to the exploit or compromise, and
restoring normal operations.

Incident Severity Levels

• Three severity levels
• Lz›vel1
• Incidents that could cause significant harm
• L€›veI2
• Compromise of or unauthorized access to noncritical systems or
information
• LRveI3
• Situations that can be contained and resolved by the information
system custodian, data/process owner, or HR personnel
• Denial of service (DoS) attacks
• Prevents or impairs the normal authorized functionality of the
organization's networks, systems, or applications
• Malware
• Code that is covertly inserted into another program with the intent
of gaining authorized accRSs or causing harm
• Inappropriate usage
• Occurs whin authorized user performs actions that violate
company policy, agreement, law, or gulaton

Week 12
Week 12

• Disaster
• Any event that results in damage ordestruction, loss of life, or
drastic change totheenvironment
•A disruption of normal business functions where the expected
time for returning to normalcy would seriously impact the
organization's capability to maintain operations, including
customer commitments and regulatory compliance
• The cause can be environmental, operational, accidental, or
willful

:‫امثله عليها‬
•Operational issues.
• include failures or misconfiguration of equipment,
disruption of communication systems, unavailability of
third-party systems or personnel, and degradation of
power.

• Accidents:
• include nuclear, biological, or hazardous chemical exposure,
explosions, and user or operator error.
• Willful damage:
• includes terrorism, sabotage, civil disturbances, war,
workplace violence, and cybercrime.
 A BIA incorporates three metrics
• The maximum tolerable downtime (MTD) is the total length of
time an essential business function can be unavailable without
causing significant harm tothebusiness.
•The recovery time objective (RTO) is the maximum amount of
timea system resource can be unavailable before there !s an
unacceptable impact on other system resources or business
processes.
• The recovery point objective (RPO) represents the point in
time, prior toa disruption or system outage, that data can be
recovered (!n other words, the acceptabe data loss).

Disaster Response Plans

• Addresses what should be done immediately following a significant
i nciaent
• Defines who has the authority to declarea disaster
• Defines who has the authority to contact external entities
• Defines evacuation procedures
• Defines emergency communication& notification procedures
• Upon declaration ofa disaster. all BCT members should report toa
designated command andcontrol center
• Occupant emergency Plan (OEP)
• Describes evacuation and snelter-in-place procedures in the event
ofa threat or incident to the health and safety of personnel
 Disaster Response Plans cont.
• Relocation strategies
• Hot site
• Fully operational location with redundant equipment.
• The data has been streamed to the site on a real-time basis or close
to real time
• Warm site
• Configured to support operations including communications
capabilities, peripheral devices, power, and HVAC.
• Spare computers may be located there tnat then would need to be
configured in the event ofa disaster
• Data must be restored

• Cold site
• Availa ale alternative location
• Equipped with power. HVAC, and secure access
• Mobile site
• Self-contained unit
• Equi pped with the required hardware. software and peripherals
• Data needs tobe restored

Week 13
Week 13

Who regulates banking and financial

services in Saudi Arabia?
• The Kingdom of Saudi Arabia has two regulators witn
responsibility for the authorization and supervision of
banks, insurance companies and otner financial
institutions
• The Saudi Central Bank (SAMA), formerly known as Saudi
Arabian Monetary Agency
• CapilaI Market Authorily (CMA)

1. Cyber security governance:A governance structure should

De established and endorsed by tne board of directors.
 6. Cyber Security Awareness : A cyber security awareness
program snould be defined and conducted forstaff, tnird parties
and cUStomers Dftne MernberO rganizatiDo

Week 14
Week 14
Authentication Policy
• Accessing HIE requires unique identification of the individuals,
systems, and Organizat!ons.
• Remote access requires multi-factor authentication.
• Tne user identity, role, and affiliation must be checked for both
revocation and expiration
• Access denied forrevoked or expired identification.
• Inactive session snould be logged off automatically no more than
30 minutes.
• Temporary access must be provided in emergency situations to
unauthorized users
• Emergency access requires audits and review

What is HIE?
• Saudi Health Information Exchange (HIE) isa collection of polices that
regulat and protect, the flow of the health information.
• Ministry of Health (MOH) enforces and monitors the HIE policies.
• HIE policies apply to:
• Participating Healthcare Subscriber (PHCSs)
• PHCS Business Associates.
• Any subcontractors of Business Associates that perform functions or
provide services involving tne use ana disclosure of PHI,
• Any Saudi Health Information Exchange Infrastructure Service
Provider
• Any other subcontractors of the Saudi Health Information Exchange.
 Audit Policy
• All activities related to access, creation, modification and
deletion of electronic PHI should be accurately recorded.
• Logs SHALL be reviewed ona regular basis, at least quarterly.
• Detect improper use based on audit criteria developed in
advance.
• Anomalies SHALL be documented and appropriate mitigating
actions must be taken and documented
• Documentation be retaineda minimum oftenyears.
• Access to audit lops is restricted to approved privacy and
security officers

Week 15
Week 15

Protecting Cardholder Data Cont.

• Figure shows tne following elements
located on the front ofa credit card
1. Embedded microchip contai ns the
same it formation as the magnetic stripe.
2. Prim ary account number (PAN}.
?. Expiration date.
4. Cardholder name.
 What Is the PCI DSS Framework?
• The PCI DSS framework includes:
1. Stipulations regarding storage, transmission, and processing of
payment card data
2. Six core principles
3. Required tecnnical and operational security controls
4. Testi ng requirements
5. Certification process

• The Six PCI DSS core principles

1. Build and maintaina secure network and systems
2. Protect cardholder data
3. Maintaina vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

The 12 PCI Top Level Requirements

• Tne PCI DSS consists of six core principles, wnich are
accompanied by thefollowing 12 requirements.
 ‫مهم بدون التفاصيل‬
SAQ categories
• There are five SAQ categDries and the number ofqueslions vary
because the questiDnnaires are designed to be reflective Df the
specific payment card channel and the anticipated scope of the
cardholder environment
1. SAQ A (13 questions) is applicable to merchants who retain only paper
reports or receipts with cardholder data. This would never apply to face-
to-face merchants.
2. SAQ P2PE (18 questions) is applicable to merchants who process
cardholder data only via payment terminals included ina validated and
PCI SSC—listed Point-to-Point Encryption (P2PE) solution. This would
never apply to e-commerce merchants. This category was added in June
2012.

3. SAQ B (29 questions) is applicable to merchants who process cardholder

data only via imprint machines or standalone, dial-out terminals. This
would never apply to e-commerce merchants.
4. SAQ C-VT (51 questions) is applicable to merchants who process
cardholder data only via isolated virtusI terminals on personal
tomputen connected to the Internet. This would never apply to e-
commerce merchants.
5. SAQ C (80 questions) is applicable to merchants whose payment
application systems are connected to the Internet either because the
payment application system is on a personal computer that is connected
to the Internet.

• SAQ D (288 questions) is applicable to all other merchants not

included in descriptions for SAQ typesA through C as well as all
service providers defined bv a payment brand as eligible to
complete an SAQ.

• In order to achieve compliance in question, the response to each

question must either be "yes” or an explanation ofa compensating
control.
• If an entity cannot provide affirmative responses, it is still required to
submit an SAQ
• To complete the validation process, the entity submits the SAQ and an
accompanying Attestation of Compliance stating that it is or is not
compliant with the PCI DSS.
• If the attestation indicates noncompliance,a target date forcompliance
along with an action plan needs tobe provided.