Securing the Organization’s IT Assets Amidst COVID-19

man having a video call on his phone
Photo by Edward Jenner on Pexels.com

How should organizations conduct operations during a pandemic? How should organizations secure their IT assets during a pandemic? For big multinational companies, they have their respective Business Continuity Plans (BCP) that assist them in times like lockdowns, quarantines, or any disruptions to normal business activities. However, a lot of companies were caught off-guard and they were not able to smoothly transition to the “quarantine mode.”

How organizations are affected by COVID-19

According to an April 2020 report from Accenture about the effects of COVID-19 to organizations, there are significant impacts on system resilience and business continuity from the perspective of technology.  On a survey that they conducted in 2019 on system resilience, only 10% of the 8,300 respondents answered that their technology is resilient.  They summarized the effects on IT based on the following: business continuity risks, a surge in transaction volumes, workforce productivity challenges, and security risks.
Common cybersecurity issues faced

Phishing, scams, malware, access to malicious/bogus sites unknowingly are the common cybersecurity issues that organizations faced during the pandemic. Attacks on NASA have been reported consistently since the spread of COVID-19. Local banks like BPI, have issued a memo warning customers of phishing attacks that spoof BPI online platforms.  Google reported that there were 18 million malware detected in a week that are related to COVID-19. Trend Micro also reported a surge in COVID-19 themed attacks ranging from spam, malware, and malicious domains. Worse, unscrupulous individuals host COVID-19 case trackers and fill it with malware so visitors will be infected as they visit.

The following are the major cybersecurity issues organizations face:

  • Increased number of phishing and malware attacks that use COVID-19 as bait or theme.
  • There is an increase in cybersecurity risks because employees are in their homes which IT has a hard time managing. On the other end, support on the company networks will also be lessened because of reduced IT staffing.
  • Remote work/Work from home security issues.

Cybersecurity defense against attacks

SANS has created the SANS Security Awareness Deployment Guide that is very useful for organizations and employees during this time of reduced IT staff and work from home for a lot of employees. It contains all the materials that organizations will need such as templates, fact sheets, posters, and messaging for employees. It even has short learning videos that are very informative covering wide topics on social engineering, securing your home, and working remotely.

It is alarming to note as well that a lot of big multinational companies mentioned in the introduction whose technology and security maturity are both at the top of the line still suffer a lot of cybersecurity attacks such as phishing and malware. They have the best industry-grade anti-malware with a lot of advanced features, encryption in the hard drive level, and other security tools. But as we say in security, the technology is just as strong as the weakest link, which is the people. We have to emphasize the need for a consistent and periodic Security Awareness for employees especially now that the IT/Security team has a limited view of the organization’s assets.

It is also important that the IT/Security team should be accessible not only for support but for security incidents. Attacks can be well-planned and it can target certain people in the organization. Reporting the information about security incidents will help IT/Security team to respond promptly and make important communication to the stakeholders to prevent others from being victimized.

There also has to be clear guidelines/policies for employees. Remote work is a different and new environment that may need further and detailed guidance. For example, should users be allowed to connect to public Wi-Fi? Or are they only allowed to access their home network? If they are only allowed to use their home network, what necessary configurations should be done? A clear policy/guideline will be very helpful.

Management support is also of utmost importance. Quick and immediate approval of policies/guidelines is necessary for this volatile time. Budget is also a key element especially when you need to procure additional security software licenses. Management can provide both approval and budget.

The following are some of the security issues that need to be discussed with employees to take note of:

Social Engineering – Phishing, spear phishing, vishing, CEO fraud, and USB drop are some of the non-technical attacks that can target your organization. Employees must be trained on how to spot these attacks and report them immediately to the IT/Security team. Usual ways to spot these attacks include a strong sense of urgency, pressuring you to violate a policy, generic e-mail, brief message, and use of personal e-mail.

Passwords – Since the use of passwords is the most common type of authentication, certain best practices have to be observed so that attackers will have a hard time to access your account. The use of passphrases,  unique passwords for different accounts, password managers (see LastPass and KeePass), and the use of multi-factor authentication (MFA) (see Google Auth and LastPass Authenticator) are the best practices to build a layered-defense for your passwords.

Updated Systems – From your router to your laptops, mobile devices all the way to the applications, you need to ensure that they are always up-to-date. A lot of successful attacks leverage the exploitation of vulnerable systems, those that are not updated.  You need to enable Automatic Updating.

Backups – Another important practice is to back up your files routinely. The usual expectation of the IT/Security team is that worst-case scenarios will happen such as your workstation will be infected by ransomware or that the device will be lost. Aside from wanting to wipe out the contents of the device, you want to retrieve the information in it. That’s where backups play a vital role.

VPN – In some organizations, confidential company data must remain in the trusted network (company network). But since a lot of employees are working from home, a secured way of getting access to company data stored internally is through a Virtual Private Network (VPN).

Device Misuse – Another important practice is to maintain the use of company-issued devices for work use only. A lot of malware nowadays comes from social networking platforms through third-party ads, hoax, etc.  It is important to remove that risk by not using it for personal use. At the same time, company resources should not be accessed on a personal device. It may be accidentally shared or retained unknowingly.  Lastly, children/relatives/guests should not be allowed to use company-issued devices.

The new normal in the time of pandemic forces business to take drastic and rapid changes in its day-to-day operations. While initially, the move of a lot of organizations is to relax security so that business continuity will not be hindered, it is important that security mechanisms must be restored, reconfigured, and recalibrated so that it will fit the current setup of the organization.

Here is the slide deck on Securing the Organization’s Assets Amidst COVID-19 v1.0. Feel free to use it to help inform more people on how to secure their respective organizations.

 

 

Lesson 10: What are Security Services and Mechanisms?

 

silhouette-photo-of-person-holding-door-knob-792032
Photo Credit: George Becker from https://www.pexels.com/

In the usual scenario, companies are more reactive than proactive with regard to security. Due to the perception that IT, which includes cybersecurity, is a cost center, procuring technologies may not be appealing to management unless a security incident occurs.  In Lesson 6, we discussed the value of the CISO to help align the company’s strategy and the necessary controls in place to ensure protection.

Coming from a technical security background, you would like to have the best tools and software available. But remember, the management sees it as a cost without seeing the return on investment since it’s for internal use.  The inconvenient truth list below will make the technical security personnel understand why sometimes (or maybe most of the time), the tools that we want are not approved.

The Cybersecurity Inconvenient Truths

  • You cannot protect everything from everyone.

If we will list down all potential threats that an organization can face, it will be a very long one. DDoS, Malware, incompetence resulting in loss of data, ransomware, corporate spies, etc. Since the list of threats is very long, it means that there’s a lot of security controls that we have to put in place. Unfortunately, we don’t have everything to prevent or mitigate all these threats.

  • There are not enough resources and money in the world to totally mitigate all risks.

Corollary to the discussion regarding the management’s perception of IT/Cybersecurity, the budget for the team is limited. So if resources are limited, we can only do what we can within the budget. And that leads to the next inconvenient truth.

  • Focus on protecting the most important information first, that which must be protected, and that with the highest risk.

Since we cannot protect everything and we have limited budget, the goal is to prioritize which threats have the highest risk with high severity. In that way, you are able to cover the majority of the security incidents in the organization.

This activity of prioritizing the controls based on the risk-rating is called Risk Assessment. We will have another discussion about it in another lesson.

Security Services and Security Mechanisms

To properly align the organization’s strategy and the cybersecurity team’s goals, we have to define the security services and mechanisms. Security services reflect on how the organization’s objectives are manifested. Security mechanisms, on the other hand, are the specific solutions that we can implement in the organization.

See example below:

We conduct risk assessment first before we can come up with the Security Services and Mechanisms.

  • Goal: The organization wants to focus on physical security
  • Security Services: (1)Personnel security; (2) Access control
  • Security Mechanisms: (1) Security clearance, training, rules of behavior; (2) Biometrics, proximity card, mantraps;

What industry do you think will have this type of security goal?

It can probably be a bank or law enforcement (government) office.

It is important to determine the organization’s security services and mechanisms so that the cybersecurity team will also have a level of expectation on the types of controls and tasks that they will be doing.

So the next time you think about a cybersecurity project, you have to revisit again the defined security services and mechanisms of the team and see if they are aligned with each other. Otherwise, you will have to let it go so you won’t waste your time and effort.

 

 

 

Lesson 9: How a Court Decision Changed Privacy Laws in the World

Privacy as a concept is considered as a subjective phenomenon because of different factors such as culture and beliefs. For example, the Japanese can see each other naked in an onsen which is considered normal to them culturally. However, it is taboo to do the same in the Philippines. It can be considered a breach of the person’s privacy to see other people naked.

On the other hand, part of Filipino culture is hospitality, which to some extent involves caring and oversharing. Some Filipinos tend to ask too personal questions even if they have just met the person. For the Japanese, this may be breaching their personal privacy.

The universally acceptable definition of privacy can be, “Any information that an individual wants to protect from becoming public knowledge.” Do you agree?

There are different philosophical viewpoints of privacy described in Muzamil Riffat’s paper entitled, “Legal Aspects of Privacy and Security: A Case-Study of Apple versus FBI Arguments.” For this article, however, we will only be focusing on one viewpoint, which is the Privacy Right in the United States. 

Fourth Amendment in the US Constitution

The Fourth Amendment primarily focuses on the protection of the people against illegal searches and seizures by the government. The Fourth Amendment states: “The right of the people to be secure in their persons, houses, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”.

The amendment is intended for government search and seizures only.  The important questions about the provision are: 1) What constitutes an unreasonable action? (Protected from “unreasonable” searches);  and 2) What is probable cause? (Warrant could only be granted if there is a “probable cause.”)

Katz vs. United States (1967)

One of the landmark cases that helped define the scope of the Fourth Amendment in Katz vs. United States in 1967. To summarize the case, the FBI eavesdropped Charles Katz’s phone conversation in a telephone booth upon suspicion that he was giving gambling information to clients in other states.

The question was whether Katz was protected by the Fourth Amendment against the FBI to eavesdrop the conversation in a public phone booth without a search warrant.

The Supreme Court voted 7-1 in favor of Katz. According to Justice Potter Stewart, “The Fourth Amendment protects people, not places.” The court ruling extended the Fourth Amendment protection beyond homes and properties.

Justice John Marshall Harlan II on a concurring opinion, interpreted the law by passing a two-part test: 1) That a person has exhibited an actual expectation of privacy; and 2) That the expectation is one that society is prepared to recognize as “reasonable.”

The “Katz Test” has been used in thousands of cases related to privacy especially related to communication, media, and the use of advanced devices.

Although it was a triumph for Charles Katz, it also opened so many opportunities for criminals to do malicious activities and get protected by the Fourth Amendment later on.

architecture-booth-buildings-bus-374815
Photo Credit: Stock Photo from Pexels.com

Further Reading:

  1. Legal Aspects of Privacy and Security: A Case-Study of Apple versus FBI Arguments, Muzamil Riffat, SANS
  2. Katz v. United States, 389 U.S. 347 (1967), Justia US Supreme Court
  3. Katz v. United States, Oyez
  4. Katz v. United States, Legal Information Institute, Cornell Law School
  5. Katz v. United States, Wikipedia

 

Lesson 8: What are the challenges in responding to cybercrimes?

woman-sitting-on-chair-2157191
Photo by Martin Lopez from Pexels

Cybercrimes are criminal activities punishable by law that are done using a computer or the Internet. It could range from identify theft, vandalism/ defacement of websites, scams or even large-scale Distributed Denial of Service (DDoS).

Sample real-life cybercrimes are listed in the further reading below.

Types of Cybercrimes

Primarily, both as an investigator and responder, you need to be able to determine the type of cybercrime committed. It is important for you to be able to determine the correct response (technical and legal) in the incident.

  1. Computer-assisted crime (source) – Computer is the enabler in the commission of the crime. (Ex. Stealing of credit card information through sniffing or phishing)
  2. Computer-targeted crime (destination) – Computer is the primary target of the crime. (Ex. Denial of Service attacks)
  3. Computer-incidental crime (indirect) – The involvement of the computer is secondary but important to the commission of the crime. (Ex. CHILD pornography is stored on a computer. Emphasis on CHILD since pornography in many places is legal but CHILD pornography is NOT)

Issues on Investigating and Resolving Cybercrimes

For developing countries like the Philippines, the cybersecurity infrastructure of the government in combatting cybercrimes is far from maturity.  But even the developed and well-funded cybersecurity programs of other advanced countries still face issues on investigating cybercrimes. The list below are the significant ones:

  • Difficult to equate physical and logical assets.

The common misconception is that people don’t equate physical money to virtual money simply because the latter is not tangible. The P1 million in a bag is perceived as really one million. But transferring P1 million online is perceived as just sending bits and bytes using a web application. Due to this perception, cybercrimes are not treated as serious as physical crimes.

  • Cyber-law environment has not been fully defined by courts.

For developing countries like the Philippines, cyber-law is not yet fully defined by courts because the basic principles of proving innocence or guilt are different in the cyber world. For instance, the common way of proving innocence is to show proof that you have evidence and witnesses that will show that you are not in the crime scene when the crime happened. However, you can be in the Philippines when you launched an attack in China. It will be hard for lawyers and courts to interrogate further without the proper knowledge in IT.

  • Cybercrime spreads global.

Why do you think that even though there is a law that prohibits Torrent sites (P2P) that share pirated films and software, there are still a lot of Torrent sites online? A lot of countries may have laws against piracy, but there are still a lot of countries that don’t. Due to jurisdiction issues, our government cannot control everything on the Internet especially those that are not hosted in our own country.

  • Cyber laws are highly technical

To explain Denial-of-Service (DoS) attacks, you need to be able to explain the purpose of port numbers, OSI Model, TCP and UDP to name a few.  The technical aspect of cybercrime adds more challenges in making the courts understand how the incident happened. It is not only the technical knowledge that is crucial but also how you are able to explain it in layman’s term, which is the usual problem in the IT industry. (techy but having a hard time explaining it to normal people)

These are some of the issues when investigating cybercrimes. The bottom line is that cybersecurity professionals need to be involved in the legal aspects of creating and implementing cybercrime laws. Lawyers may be good at putting into words how crimes work but they need expert inputs to ensure that all aspects are covered. On another angle, the need for cybersecurity professionals’ involvement shows the demand for the profession in the industry.

Further reading:

  1. Cybercrimes up by 80% in 2018 (Philippine Star, March 2019)
  2. Online child abuse top cybercrime in Philippines (Philippine Start, April 2019)
  3. That Insane, $81M Bangladesh Bank Heist? Here’s What We Know (Wired, May 2016)
  4. Equifax Data Breach Settlement (Federal Trade Commission, January 2020)

 

 

 

Lesson 7: Why HR Policies complement Information Security

The perception of most employees to both the HR and Cybersecurity Department is that they exist so they can look for a mistake and punish you. Some say that HR is the principal’s office, while the Cybersecurity team is the surveillance arm.  Although most of the time during investigations, the cybersecurity team becomes the expert witness to help either acquit or punish the employee. (This will be discussed in another lesson.)

There is truth in perception and claim. To add to that, a lot of the policies in organizational security (discussed in Lesson 6)have overlapped with HR. This means, either the policy was created by HR or both HR and Cybersecurity teams. For example, the Acceptable Use Policy (AUP) outlines the expected behavior of an employee in the organization. A part of the AUP is the Internet Usage Policy (IUP) and other policies related to the acceptable use of the company issued assets such as laptops, mobile phones to name a few. These policies are created and monitored by the cybersecurity team.  The AUP is usually signed by the employee together with his/her job offer/contract prior to onboarding.

Without HR explicitly contributing to information security, they have made an administrative-deterrent control. (Administrative because it’s a policy; deterrent because it discourages people to violate the rules)

Other HR policies that help information security are background checks (administrative-preventive control) because they check whether you are good not only in your CV and mandatory vacations (administrative-detective) to check and audit whether you are doing something not on your job description without you being present in the office.

During operations, HR might have their independent and confidential tasks. But their roles are significant in providing a sound and mature information security environment in the organization.

hr
Photo Credit: “21 Times Michael Scott’s Hatred For Toby Flenderson Was Out Of Control” https://www.buzzfeed.com/chelseabrown/jerkyjerkface

Lesson 6: Organizational Security

Coming from a technical team, organizational security might be seen as a domain that only focuses on paper-based policies (sometimes, just copy-paste templated policies), budgets and risk assessment results. There’s also a gap between highly technical security members who have been doing hands-on security and those management guys who may have their MBAs but whose background is not even in IT. However, it is important to emphasize that technical security needs organizational security to exist and vice versa.

In big organizations, a separate C-level position is appointed for cybersecurity. The Chief Information Security Officer (CISO) is responsible for the over-all cybersecurity operations in the organization. He/she usually reports to the Chief Information Officer (CIO) or Chief Technology Officer (CTO).

What does it mean to have a CISO? 

The CISO will have a seat and say on the management level – may it be ManCom (Management Committee) or ExeCom (Executive Committee). He/She will be able to provide insights and expert opinions regarding the organization’s cybersecurity posture vis-à-vis the organization’s business strategy. It is very important to have a person who can voice out and be heard about what the technical members think is the best security for the organization. Without a CISO, it may be difficult for management to understand expensive spending on cybersecurity tools. You might be defending a multi-million peso Unified Threat Management (UTM) firewall and the management will only see it as an additional cost. Since management does not understand the value of the UTM firewall, they decided instead to provide a budget for a home firewall. It’s also a firewall, but way cheaper!

Also, the CISO is ultimately accountable if any security incident happens in the organization.

The Governance Team

Aside from the  Technical Team, the Governance Team reports to the CISO too but they focus on organizational security. They primarily draft policies that the organization must follow. Some of these policies include but not limited to:

  • Password Policy
  • Time of Day Restrictions
  • Classification of Information
  • Acceptation Use Policy (AUP)
  • Internet Use Policy (IUP)
  • E-mail Usage Policy (EUP)
  • Disposal and Destruction
  • Privacy Policy

They also align with the Technical Team on how they can properly articulate the security requirements in the policy. On the other end, they are also responsible for making sure that these policies are understood by the stakeholders very well.

For more details about policies and policy templates, I highly recommend you visit SANS.org. They have a ton of templates and guides on how to create, modify and implement security policies. Here is the link: https://www.sans.org/security-resources/policies/

CISO CMU
Photo Credit: Structuring the Chief Information Security Officer Organization by Allen, J. et al, Software Engineering Institute (SEI), Carnegie Mellon University

Further Reading:

Structuring the Chief Information Security Officer Organization by Allen, J. et al (2015) Retrieved from:
https://resources.sei.cmu.edu/asset_files/TechnicalNote/2015_004_001_446198.pdf

Machine Project in Infosec

Objectives

■To be able to configure, implement an open-source security tool.

■To simulate a real-world attack scenario where the security tool can be used.

■To show how to configure necessary functionalities of the security tool.

Tasks

■Each group will be assigned a specific security tool. Each group will research about the topic and download an open-source version of the tool.

■The group can use a recommended tool or look for a preferred application as long as it is open source.

■The group will configure and deploy a working prototype and simulate the functionalities of the tool with the prescribed test/s in a lab environment.

■The group will demonstrate the output in the 12th week of the term.

Tools

■Network Firewall (PFSense)

■NIDS- Network Intrusion Detection System (Snort)

■HIDS- Host Intrusion Detection System (OSSEC)

■WAF- Web Application Firewall (Iron Bee)

■Honeypot (Honeyd)

■DLP- Data Loss Prevention (OpenDLP)

■Anti Spam (SpamAssassin)

Tests

Tool Test
Firewall Allow/Block Website based on IP/hostname

Allow/Block Website based on Category

NIDS Detect a port scan

Detect a backdoor connection

HIDS Detect a keylogger

Detect a port scan

WAF Prevent a SQLi attack.

Prevent a port scan.

Honeypot Log port scan to server.

Log remote access to server.

DLP Prevent sending of email based on message

Prevent sending of email based on file type

Anti-Spam Detect SPAM based on message

Detect SPAM based on quantity

Milestones

■Week 3 – Finalization of security tool

■Week 6 – Security tool configured

■Week 7- 10 – Testing

■Week 12/13 – Project Demo + Documentation Submission

Deliverables & Grading

■Working prototype 40%

■Tests completed 40%

■Documentation 20%

Paper Format

■Abstract – Summary of your project

■Introduction – Discuss what the tool is all about

■Results and Discussion – Discuss the tests done (include screen shots)

■Conclusion – Lessons learned

Sample Projects:

Video Links

IDS- SnortV1, SnortV2, SnortV3

Honeypot – Honeybot, KFSensor

Firewall – PFSense

Documentation

NIDS (Snort, Snorby and Barnyard Installation & Configuration) – comsecinstallation

HIDS (OSSEC Installation, Configuration & Testing) – USER MANUAL OF OSSEC

SPAM Filter (MailWasher) – INFOSEC_MachineProject_MailWasher

Honeypot (Honeybot) – INFOSEC_MachineProject_Honeypot

Research Paper on Emerging Technologies

Introduction

A Case Study will be held as an academic symposium during the midterms week to discuss various emerging technologies in the field of information security. Each group will be tasked to research on a specified topic, explore and answer key issues about the subject.

As its culminating activity, an academic paper with a required format will be submitted and a 15-minute presentation will be presentation will be presented with the classmates and special faculty and industry guests. Question and answer will be followed after the presentation.

Topics

  1. Security in Social Networking Sites
    1. Cite current issues pertaining to crimes/violations in social networking sites. Describe the usual scenarios.
    2. Show some statistics on social networking related crimes.
    3. What are the actions taken by social networking organizations and government agencies?
    4. How do you see the future of social networking sites? Future attacks and remedy?
  2. Mobile Malware
    1. Can mobile devices get infected by malware?
    2. State news about devices getting infected. What happens to these devices?
    3. Show statistics on mobile malware.
    4. Is there an initiative from AV companies and government about it?
    5. How do you prevent mobile devices from getting infected?
  3. Business Continuity Planning (BCP) for Disaster Prone Areas
    1. Cite news of business disruption due to a disaster and its effects on the business.
    2. Show statistics of business losses due to either natural or man-made disasters.
    3. Are there initiatives/laws that require businesses for BCP?
    4. Discuss usual business continuity planning and disaster management and recovery plans.
    5. Discuss any standard/template regarding BCP.
  4. Internet Surveillance
    1. Is Internet surveillance possible?
    2. What are ways to conduct Internet surveillance?
    3. What are limitations of current security capabilities?
    4. What are solutions for existing Internet surveillance?
  5. Cybercrime Laws and Issues (choose scope)
    1. Discuss current cybercrime laws. (if there are any)
    2. Discuss issues that warrant cybercrime laws. Prove that there is a need for these laws.
    3. Discuss limitations and or threats of these cybercrime laws.
    4. Discuss if there is a need for more laws.
  6. Security in Automated Controlled Vehicles
    1. What are automated controlled vehicles?
    2. Why is there a need for automated controlled vehicles?
    3. Research companies that are utilizing these types of vehicles.
    4. Research for news that show threats on automated controlled vehicles.
    5. Discuss solutions for automated controlled vehicles.
  7. Drones
    1. History on the implementation of drones.
    2. News and development on drones.
    3. What are positive and negative issues (factual) on drones?
    4. Do drones bypass due process?
    5. Do drones violate privacy and freedom?

Grading

The Case Study is 10% of your final grade.

Group Grade is 70% (to be given by the professor)

Individual Grade is 30% (to be given by the group leader; leader gets 100% in the individual grade)

Criteria

Content (Paper) – 50%

Is the paper complete and comprehensive?

Mastery – 30%

Is the group knowledgeable on the topic?

Did the group have the ability to analyze related real-world problems?

Did the group answer the related questions?

Delivery – 10%

Did the group communicate the message properly?

Presentation – 10%

Did the presentation contain creative and comprehensible visuals?

Required Sections in the Paper

Section Description

 

Abstract Your abstract is a maximum of 200-word summary of your case study. It describes briefly about your topic and what you intend to research further. You are establishing the boundaries of your study in the abstract.

 

Introduction The introduction is a maximum of 300-word overview of the topic. This means you need to discuss the current technology of your topic. Discuss the features, benefits and limitations of the current technology.

 

Problem Statement Based on your introduction, you have to establish your problem statement. What are the problems or issues that the current technology is facing? You have to state that piece by piece and justify why it has to be resolved.

 

Results and Discussion Research and establish the solutions for the problems found in the problem statement. Explain processes and procedures of the solutions that you recommend and how it can be done.

 

Conclusion and Recommendation Provide a conclusion of the case study that you have conducted. Based on your study, will your solutions be helpful in resolving the issues in the problem statement? Give recommendations that can be further investigated and researched in the future to strengthen your study. Make sure the recommendation is out of the scope of your study.

 

References List all the references for your case study. You need to follow the IEEE reference format. For your guidance, you need to have at least:

Five (5) technical references related to the topic (journal, scientific publication, conference proceeding)

Five (5) news article reference related to the topic (newspaper, magazine)

Three (3) books related to the topic.

Note: Never plagiarize. It’s equivalent to cheating.

 

Format of paperMSW_A4_format

For the presentation:
1. Create a presentation of your paper. It should be a summary of all sections: Abstract, Introduction, Problem Statement, Discussion, Conclusion.
2. Follow the 6×6 rule. Each slide should have a maximum of 6 bullet points with maximum of 6 words per bullet point.
3. Use interesting font/colors. Use images that will help explain your paper.
4. Everybody should have a part in the presentation.
5. You have 15 minutes to present your paper followed by Q&A.
6. Wear business attire for the presentation.

Deliverable:
1. Send a PDF copy of your final paper and PPT presentation to justinp@apc.edu.ph & pineda.justin@rocketmail.com with Subject- Case Study Final Deliverable – (Case topic) by Group (Group Name)
2. Print a hard copy of the paper.
3. Submit (1) & (2) requirements before the class.

Sample papers:

On Social Networking: Online Peers Can Mean Offline PerilsOnline Peers Can Mean Offline Perils-Presentation

On Mobile Malware: Prevalence of Malware in Mobiles (1)Prevalence of Malware in Mobiles

On Internet Surveillance: Internet Surveilance by Team ZAFT_presentInternet Surveilance by Team ZAFT draft 4

On Social Networking: Using Facebook in TOR, INFOSEC PDF

On Internet Surveillance: Internet Surveillance

On Drones: Drones Case Study (1), Drones

On Cybercrime Law: Revised-Cybercrime

On Mobile Malware: Mobile-Malware-A-Case-Study-in-Information-Security-1

 

Lesson 5: Social Engineering

When I studied and took EC-Council’s Certified Ethical Hacker (CEH) in 2013, I learned a very important lesson: even if you follow the hacking methodologies, it only has a 10% success rate. This lesson has, on the other hand, 90% success rate. In gist: Why would you spend a lot of time to brute force a password when you can just ask for it? That’s social engineering.

Social Engineering is an attempt to gain information from a victim or target through manipulation and deceit. The attacker attempts to gain the victim’s trust then exploits the emotions of the latter.

Note: There is a reading I wrote in 2011 that is relevant with this lesson. Copies will be/are given during class.

Why is Social Engineering very successful?

In the past lessons, we studied about Defense in Depth. This means that in every layer of security, there should be protection. Now in Network Security for instance, you may deploy and implement a firewall. The firewall has its limitations but it will strictly enforce whatever rules are written in the ACL. If it says allow web traffic, it will allow web traffic. If it says deny FTP traffic then it will deny FTP traffic.

Problems rise when humans intervene. Let’s say a school enforces a “No ID, No Entry” policy. All students are required to wear their ID upon entering the school. One day, one student forgot to bring his ID but the guard still allowed him to enter because they’re friends. Is it correct for a guard to make exceptions even if there’s an explicit ID policy? What if the said student brought his friends? Will the guard still allow it because they’re friends?

Humans or wetware are the weakest link in the security chain because they simply make a lot of exceptions. That’s why the human vulnerability is a weakness that no patch can perfectly fix.

Ethics: Social Engineering in Penetration Testing

In penetration testing, a third party service provider actively tests the security solutions implemented in the network. Active testing means exploiting discovered weaknesses in security. One of the tests is the social engineering test. In this case, the pen tester tries to bypass security through social engineering.

For example, the company security policy requires the use of a badge/ID to enter the office. The pen tester will carry a lot of heavy things so the guard will help him instead of looking for the ID. The pen tester successfully enters the facility with the guard as accessory to the crime. After the pen testing, the guard is terminated due to abandonment of duty during the test.

It is the job of the pen tester to lure people into breaking the policy. The targets, out of good-will, will help them. But in the end, they will be terminated. Is that ethical?

Steps in Social Engineering

There are three steps in social engineering.

  1. Information Gathering

In this step, the social engineer gathers as many information about his target as possible. He can do online searches in social networking sites, stalk the target to learn his routines and talk to his friends to learn more about his likes.

  1. Developing Relationships

After you have gathered enough information about your target, it’s time to build relationship. Let’s say you learned that the target likes Justin Bieber. You can create a “perfect encounter” with him in his daily routine. You could probably sit beside him in a bus and have a little chitchat about Justin Bieber. Ideally, you can build a relationship with the “serendipitous meeting.” In some cases, you will need to “invest” on something. If you learned that the target is in a lot of debt, aside from being a Justin Bieber fan, you can use that to your advantage for the next step.

  1. Exploitation

In the last step, you push through with your goal of eliciting the information you need from the target. You may have allowed your target to borrow a sum of money from you so that he can pay his debt. Now, you can use that to your advantage. You can ask for the information and remind him that he is in debt so he should return the favor. In this case, you are successful in your mission.

Types of Social Engineering Attacks

The Social Engineering Attacks can be classified into 2 categories:

  1. Non-technical – Doing social engineering in a traditional way
    1. Dumpster diving – Literally checking the target’s garbage.
    2. Shoulder surfing – Glancing at other person’s computer, cellphone or paper.
    3. Impersonation – Pretending to be key personnel in your target’s company.
    4. Tailgating – Walking in the vicinity after the person ahead of you taps his badge to open the access door.
  2. Technical – Doing social engineering using technology
    1. Phishing – Getting target’s information using fake e-mail or website.
    2. Spear phishing – A type of phishing targeting a particular person.
    3. Pharming – A type of phishing targeting a group of people/organization.
    4. Vishing – Deceiving target using telephone/cellphone/smart phone.

—– NOTHING FOLLOWS —–

You can download the PDF version of this lesson here: INFOSEC_L5_SE

Lesson 4: Types of Authentication and Access Control

Authentication

Authentication is defined as proving who you are claiming to be. By default, we have 3 types of authentication:

  1. Something that you know – A form of authentication coming from what you know (residing in the mind)

Ex. Password, pin

  1. Something that you have – A form of authentication that is tangible.

Ex. Token, cellphone, ID

  1. Something that you are – A form of authentication where the uniqueness of the part of your body is used.

Ex. Fingerprint, voice recognition, iris scan

Not one of the authentication types can be considered the strongest. Something that you know authentication such as password can be cracked using brute force or social engineering. Something that you have authentication such as ID’s can be stolen or reproduced. Something that you are authentication such fingerprint is prone to false positives (you have sweaty hands etc.)

To make your authentication stronger, it is advised that you use 2 or more types of authentication to provide a layer of security. This is what we call 2-factor or multi-factor authentication. Examples include:

  1. ATM + Pin (something that you have and you know)
  2. Credit card + signature (something that you have and you know)
  3. Cellphone for One-Time Password (OTP) + password (something that you have and you know)
  4. Badge + biometric (something that you have and you are)

Note: Usernames and passwords are not considered multi-factor because both are something that you know type of authentication.

Questions to search on:

  1. What is the fourth type (or other types) of authentication?
  2. What is the most accurate biometric? Why?

Types of Access Control

Access Control or Authorization determines the type of privilege a user has after being authenticated. If you enter the school, an authentication mechanism could be your school ID. Access Control determines which rooms in the school you can access. If you’re a student, you can access the classrooms, computer laboratories and cafeteria. However, you are prohibited from accessing the faculty room and server room. A faculty member can access more rooms compared to a student.

Mandatory Access Control (MAC)

MAC is the strictest type of access control. This access control can be seen in government especially in military. It uses Sensitivity Labels (SL) both for the subject (initiates an action) and object (waiting for action). It is also known as a multi-level type of access control.

SL can be classified as:

Top Secret

Secret

Confidential

Public

Let’s say a File A (Object) has an SL of Secret. Only the subject that has an SL of either Top Secret or Secret can access the file.

To visualize, let’s say a 5-star General has an SL of Top Secret, Colonel with SL of Secret, Lieutenant with SL of Confidential and Sergeant with SL of Public. Only the Colonel or 5-Star General can access File A because they have clearance to do so because of their SL. A subject can access all objects that are below his/her SL. MAC uses a top-down approach.

Discretionary Access Control (DAC)

DAC is the direct opposite of MAC. In this case, this type of access control can be seen in non-military institutions (commercial use, usually). In DAC, the owner of the file determines the privilege of the subjects to the objects. It is also known as a single-level type of access control.

DAC uses an Access Control Matrix (r-read, w-write, x-execute) shown below:

S (down) O (right) Chicken File

Owner: Riza

Object 1

Pasta File

Owner: Reese

Object 2

Beef File

Owner: Rex

Object 3

James

Subject 1

rwx -wx
Ray

Subject 2

rw- rw- -wx
Ogawa

Subject 3

rwx -wx

In the above scenario, we have 3 users (subjects) trying to access 3 files (objects). Each file is owned by a specific individual (owner). It becomes the discretion of the owner on what privileges he/she wants to give the subjects. These privileges may change also.

Role-based Access Control (RBAC)

RBAC is also known as a non-discretionary access control. It gives privileges based on the roles/tasks. It is beneficial for large organizations in organizing group privileges to objects. For example, all students have read only access to File 1, File 2 and File 3. All faculty members, on the other hand, have full access to all the files mentioned. The admin will just add users (subjects) on the groups created for consistency and convenience.

Rule-based Access Control

Rule-based Access Control basically gives privilege based on a list of an enforced policy. A good example is an Access Control List (ACL) in a firewall. The firewall will grant/deny access based on the rules found in the ACL. However, if no rule is present, then no privilege should be given. (implicit deny)

—– NOTHING FOLLOWS —–

You can download the PDF version of this lesson here: INFOSEC_L4_AuthAC

Lesson 3: Defense in Depth and related concepts

Defense-in-Depth

We have agreed that we protect data/information in Infosec. And as we have discussed in Lesson 1, the scope of Infosec is very broad and IT Security is just part of it. We have also learned in Lesson 2 that preventive controls are incomplete without detective controls and response. With former concepts discussed, a more concrete and concise security architecture is formed- Defense in Depth.

The concept of Defense in Depth states that in order for anybody to access the data, it should pass layers of security first. Security controls may vary but it should be in layers.

For example, if you want to access the bank database, you need to pass through frisking of security guards, inspection of bags and proper identification when entering the bank premises. That is what we call Physical Security.

When you enter the premises, you are required to wear your ID at all times. If you are a visitor, a security personnel is required to accompany you wherever you go within the premises. That is the next layer called the Operational Security.

If you connect to their wireless network and your laptop cannot access the Internet because of MAC filtering, that is an example of Network Security.

When desktop computers have disabled USB ports to prevent spread/download of virus, that is an example of Host Security.

When you need to enter a username and password to gain access to your account, that is an example of Application Security.

Diversity of Defense

The Diversity of Defense security concept is quite tricky. Management will always want a cost-effective IT infrastructure setup. For example, Huawei, a known networking product, might offer an IT infrastructure package that may be very appealing. Let’s say they offer the whole IT infrastructure with X pesos. The management may be lured to buy the package because of the cost. However, as an information security professional, you should weigh the possible security issues that may take in place.

In Diversity of Defense, you are compelled to buy different brands of network and IT devices such as firewall, switch, router, etc. But assuming you plan to buy different types of devices, the cost may double (2X pesos) compared to the X pesos if you have a single brand.

So what is the advantage of this concept?

If a vulnerability in Huawei firewall is found, no matter how many Huawei firewalls you have, then your network is vulnerable to that particular attack. You can simply say that the cost of information disclosure is way more expensive than the implementation of diversity of defense when a single proprietary vulnerability is exploited.

Security through Obscurity

If we say that a company is implementing security through obscurity, can we consider it secured? In Security through Obscurity, we rely on the idea that nobody will think that some valuable asset is hidden in an obscure place.

For example, will anybody think that there’s 1M pesos stored underneath the driver’s seat of my car? What are the odds, right? But if I accidentally left my car unlock and somebody randomly opens the door of my car, is my asset still secured?

Security through obscurity is simply hiding something. But hiding something without proper safeguards has no security at all.

Cost-Benefit Analysis (CBA)

In information security terms, CBA refers to the weighing of the cost of safeguards to the value of asset. As a rule of thumb, you are not supposed to buy a safeguard that is more expensive than the asset.

For example, you won’t buy a vault that is valued at 20,000 pesos to safeguard a Timex watch from a buy 1 take 1 sale worth 2,000 pesos. The thief will probably steal the safeguard instead of the asset in it.

—– NOTHING FOLLOWS —–

You can download the PDF version of this lesson here: INFOSEC_L3_GenSec

Lesson 2: Security CIA, Protection & Least Privilege Concepts

The CIA Triad

All issues and solutions pertaining to security fall under 3 categories:

  1. Confidentiality – Protection against unauthorized access
  2. Integrity – Protection against unauthorized modification
  3. Availability – Protection against denial of service

The exact opposite of the CIA is the DAD – Disclosure, Alteration and Destruction.

CIA-DAD
The CIA Triad and its opposite, the DAD

See the following events and solutions:

  1. Locking the door when you leave the house – This is a confidentiality solution because only the person who has the key to unlock the door can enter the house.
  2. A students overwrites the teacher’s Powerpoint presentation – This is an integrity issue because the content of the presentation is already changed.
  3. The system administrator backs up the file server every Friday – This is an availability solution because the backup ensures access to the files when the main file server becomes unavailable.
Example
Example scenarios that can be accidental or incidental

A security issue can be a result of an accidental or intentional event. In example 2, the student may have accidentally overwritten the teacher’s file because of his negligence. He may also have overwritten the file intentionally out of revenge. But regardless of his intention, it is classified as a security issue.

The Formula for Protection

Some decades ago, the formula for protection is:

PROTECTION_OLD

This means that in order to protect something, you need to prevent something bad from happening. For example, in order to prevent a home intruder from entering your home, you install a gate around your house. You are preventing the intruder from getting in the house because of the gate.

Similarly in the technical world, you can install a firewall in your network. A firewall is a hardware or software that enforces a security policy. For example, you have a web server in your company and you would like the public only to access the web server, the firewall can filter the traffic going to your network. Only packets/traffic that are destined to TCP port 80 (http) will be allowed to enter the network. That’s because port 80 is specifically opened for web connections. All other traffic will be denied.

Now, what is the problem or limitation with this formula?

In the first example (gate example), what will happen if the intruder climbs using a rope and he is able to pass the gate? Hypothetically, if the intruder is able to enter your house in the middle of the night, will you be able to stop him?

The formula for protection lacks other components.

Let’s say you bought a motion sensor alarm and a gun. You realize that if the intruder is able to enter your house after passing the gate using a rope, the motion sensor alarm will detect his movements and will alert you. Now if you see him and he’s planning to attack you with some weapon, you can defend yourself by shooting him using your gun.

Well, that’s just a hypothetical situation. But the point is, you need to anticipate that your preventive tool may be bypassed. That’s why you need to set up other security controls.

Therefore, the modified and correct formula for protection is:

PROTECTION_NEW

Protection = Gate + (Motion Sensor Alarm + Shoot using your gun)

This formula can be applied to all domains of information security.

Going back to the firewall example, can you determine the limitation of implementing only a firewall in your network? If the firewall is the preventive tool, what is the detective tool and the response mechanism?

Least Privilege

I think the concept of least privilege is the essence of information security. In least privilege, you only get the privilege and access that you need, nothing more and nothing less.

In a company, there is an Accountant, HR assistant and Sales Agent. When we apply least privilege to these 3 employees, we will give each employees the following access to applications:

Accountant – MS Excel, Calculator, E-mail, Printer

HR Assistant – Telephone, Job Street, LinkedIn, MS Word, E-mail, Printer

Sales Agent – Telephone, Facebook, MS Word, E-mail, Printer

In least privilege, we list the things that each employee needs and we give the needed access to them. However, those applications that are not in the list won’t be given to the users.

Types of Least Privilege

Separation of Duties (SOD)

SOD states that a task (especially critical jobs) must be delegated to more than 1 person. Let’s use the payroll system as an example.

HR Department – Computes your daily time record (DTR)

Accounting Department – Computes your salary based of the DTR submitted by HR department

Management Group – Approves the salary computed and submitted by the Accounting department

What happens if only one person, let’s say Paula, computes for the DTR and salary and approves the computation also?

For instance, if an employee, Gilbert, does not go to work, then it will reflect in his DTR. However, if Paula decides to give Gilbert a salary, then she can freely do so without anybody questioning it. There’s nobody who checks if the task is done correctly or not.

The SOD for the payroll scenario is very important to ensure checks and balances of activities related to work.

SOD

Implicit Deny

Implicit Deny is another type of least privilege that is usually seen and applied in a firewall Access Control List (ACL). Assuming we have an entry in an access control list:

access-list

This ACL entry allows web traffic (tcp 80) going in and out of the network. If that’s the only rule that we have in the ACL, can we access the file server in the network (tcp 21)?

The answer, of course, is no. But one can ask, will it deny tcp 21 even if there is not rule stating that it should be denied?

The implicit deny states that if there is no rule that states allow, then deny access. So even without a specific rule, it is understood that there is a “deny all” rule after the last entry in the ACL.

Job Rotation

Job Rotation is a not so known type of least privilege. This concept requires that other persons are familiar with the job that you have especially if it is a critical role. Although it is costly because you need to train other employees, this is very helpful in determining what is happening to the tasks assigned to a particular person.

If you are put in an employee’s shoes due to job rotation, you and the management may find a lot of things. For example, why does this employee take 10 hours (with overtime) to do his job when I can finish it in 4 hours when I assumed his role in job rotation? There may be something to investigate in this issue.

Job Rotation

—– NOTHING FOLLOWS —–