D. Cyber risk Flashcards
what are the types of sensitive information?
personal information
- personally identifiable information (PII)
- can either be on its own or with other info that can identify a single person
business information
- anything that may cause a risk to the company if discovered by an external party
- includes things like research data, marketing plans
classified information
-usually refers to information that a national government has put special restrictions on where disclosure could harm public safety and security
what are some examples of PII?
- names
- addresses
- DOB
- credit card numbers
- bank account numbers
- information about race/ethnicity
how can technology interact with an organisation?
TYPE of tech the company uses
-ERP, Data Centres
different ways the organisation is CONNECTED with technology
-VPN, routers, virtual servers
different SERVICE PROVIDERS the company uses
-cloud provider, software providers, call centres
how the company DELIVERS its product or service to the customer
-transmissions to vendors, online retail channel, wholesale customers
what is an ERP?
Enterprise Resource Planning
- link wide range of activities
- used ot automate work traditionally done by MA
what is a Data centre?
large group of networked computer servers that are usually used by organisations for storage, processing or distributing large amounts of data
what is a VPN?
virtual private network
- extends private network across a public network and enables users to send and receive data across shared or public networks as it their computing devices were directly connected to the private network
- often used by organisations whose staff work remotely so they can access shared data drives or intranet
what is a router?
networking devices that effectively direct the computing traffic between computer on networks
what is a virtual server?
modern server is now so powerful that having one server for a single function is very inefficient
servers can now perform multiple functions and can be located offsite and ofter controlled by a third party
resources the server provides are often used by multiple suers and each user can administer it as though they have complete control over it
what is the Cloud?
form of remote data storage
called cloud as storage could be at a great distance from the access point rather than locally stores
although it uses new tech, similar to olden day computing where large central computer owned and run by company (mainframe) held all data
what are the benefits of cloud storage?
only paying for the storage used
in-house staff are not required to maintain and protect the data
what are the costs related to cloud computing?
- remoteness can be a problem, if communications break down you cannot gain access to your data
- reliance on a third part to protect the integrity of the data
- sharing storage space with others which may compromise your data
where is collateral damage and access to confidential PII usually sold?
on the dark web
what is the dark web?
part of the internet that allows further anonymity
ability to obscure the source or location
-provides criminals protection
-‘fraud economy’
what are the 3 parts of the internet?
surface web (clear web) -everyday use, can find using search engine
deep web
- used everyday
- have to log in to access
dark web
- need special technology to access
- Tor browser/network
- increased use of encryption and use of obfuscation
how can criminals use PII?
big market for PII can use passwords for other sites can use this to build a user profile identity theft can sell profile to others
what was the 2017 global cyberattack called Notpetya?
targeted Ukraine on the eve of a national Urakranian holiday
- 80% of infections were in Ukraine
- several large businesses going offline
- Germany also badly hit, 9% infections
- collateral damage recorded across the world
what types of changes could affect cyber security risk management?
expansion
- adding manufactiong operation
- additional connection
acquisition
- different software and systems
- data loss
restructure
- undertake an internal restructure
- reporting lines change
hardware update
- rolling out any kind of update poses a risk as it means people will need to change the way they do things
- old hardware disposed incorrectly
regulations
- legal reqs or reg requirements can have an effect on cyber security risk management
- e.g. GDPR
how did Covid post a cyber security risk?
everyone had to work remotely
- emails and phishing rise
- malicious links passed around
what are changeover methods?
direct changeover
parallel running
pilot changeover
phased changeover
what is a direct changeover?
old system is switched off and then the new system is switched on
appropriate when the 2 systems are very different or it is too expensive to run both
also risky if the new system doesn’t work properly and they cant revert and will lose staff trust in new system
what is parallel running?
old and new systems run together for a period of time, until it is considered safe to switch the old system off
why is parallel running costly?
inputting data twice
possible employing more staff to do so
BUT less risky than direct changeover
what is pilot changeover?
where one part of the business changes over first
-this division could use parallel or direct changeover
once the system operated correctly there, the rest will change over
what are the pros and cons of the pilot changeover?
safer method of changeover as only one part of the business will be affected if anything foes wrong
however may be different issues with different parts of the business that fo unrealised at first
what is a phased changeover?
involves bringing in the new system one part of the business at a time
how does phased changeover differ from pilot changeover?
in phased, all departments or divisions are staggered with respect to receiving the new system
what are the pros and cons of phased changeover?
less risky, should there be a problem in a certain division and IT staff can deal with issues one at a time
time consuming
what happened during the TSB software migration?
2015: Spanish banking group acquired TSB from Lloyds Banking Group and wanted tin integrate into the same core banking system
wanted to offer new services that the legacy system couldn’t offer
changeover method:pilot approach
- moved some services first, including mobile banking app
- planned to move everything else in 2017
- final stage delayed and had many problems when it did finally changeover
what are the 4 cyber security objectives outlined by the AICPA reporting framework?
availability confidentiality integrity of data -prevent unauthorised modification integrity of processing
how can we apply the cyber security objectives to an online retailer?
availability:online retail store provide 24/7 service worldwide
confidentiality:keep PII confidential
integrity of data:make sure financial info for both internal and external purposes is reliable and also that customer information is correct and up to date
integrity of processing:making sure goods sold are as described on their website and the service matches the description provided
what was the availability issue with RBS?
2012: outage occurred for RBS, Natwest and Ulster Bank
-customers could not access funds for a week or more
-banks had to manually update account balances
received £56m fine from regulator for outages
-software suppliers that caused outage paid millions
-didn’t know actual cause: suspect someone in RBS India pressed wrong button
what is a PCI DSS?
payment card industry data security standards
- brought in to ensure businesses process card payments are secure
- protect sensitive cardholder data
- help reduce card fraud
- sets tight controls over storage, transmission and processing of the cardholder data that businesses handle
what is malware?
malicious software, regardless of the intended purpose.
can do any number of things, ranging from the stealing of credentials, other information or money to the general wreaking of havoc, or denial of service
what are the various ways to execute malware?
ransomware botnets spyware trojans malvertising viruses
what is ransomware?
designed to prevent access to data until a ransom is paid
what is botnets?
networks of private computers that are infected with a malware and controlled by a ‘botnet agent’ designed to follow the attacker’s instructions without the knowledge of the owner of the computer
ofter associated with DDoS
what are trojans?
names after Trojen horse where a wooden horse was allowed into the city as it was deemed harmless but which concealed soldiers inside ready to attack the city
malware pretends to be a useful piece of software whilst secretly releasing malware into the system, usually with the capability to be controlled by the attacker from a different location (known as a remote access Trojan or RAT)
what is a banking Trojan?
targets banking industry
- steal customer credentials to attack bank
- bank had to increase cybersecurity
what is malvertising?
when online advertisements have malware written into their code
- can involve hiding the malicious code in legitimate online advertising networks and web pages
- code may direct victim to a malicious site where malware is installed
- might directly infect computer when page is visited
serious threat that requires little or no user interaction
what are viruses?
designed to endlessly replicate themselves and infect programs and files to damage or destroy data
what are worm viruses?
spread across networks to infect other devices
what is spyware?
designed to spy on the victim’s systems without being detected and gather information to send to the hacket
what are keyloggers?
similar to spyware
-every keystroke typed by the victim is recorded and forwarded to the hacker
what is a zero day exploit?
the issue that the malware is supposed to fix that may be either unknown to the software developer or that has been left unaddressed
vulnerability in system that hacker has known about that company may have just spotted
what is polymorphic malware?
type of malware that avoids being identified by systems and networks by constantly changing its identifiable features
can use any of the was mentioned to execute malware by harder for the target to identify
becoming more common as it takes longer to prevent, leaving more time for malicious activity
what are some cases of ransomware?
NHS: Wannacry shutdown more than 80 NHS orgs, 20k appointments cancelled, diverted ambulances
NotPetya: Ukrainian accounting systems, infected multinational shipping companies such as Maersk costing $300m per quarter
what is an application attack?
term for a variety of different ways of attacking a victim, but this time by attacking a whole app
becoming common with app development
what is the intention of application attacked?
same as malware:
steal data and user identities
what are the most common types of application attacks?
DoS: Denial-of service DDoS: Distributed-denial-of-service SQL injection: Structured Query Language injection XSS attacks:Cross-site scripting attacks MitM: Man in the Middle Buffer overflow attack
what is DoS?
Denial-of-service is an attempt to overwhelm a system’s resources so they cannot respond to service requests
what is DDoS?
where the source is from a number of host machines, usually linked to Botnets under the control of the attacked
FB DDoS attack
March 2019: WA, Insta and FB down
-FB said it was a server configuration issue
many thought they were covering up a DDoS attack
-unlikely to admit as it might encourage attackers
what is an SQL injection?
common issue with database-driven websites
occurs when the attacked uses an unprotected input box on the company’s website to execute a SQL query to the database via the input data from the client to serve
what could a successful SQL injection do?
- can read sensitive data from the database
- modify(insert, update, delete)
- execute admin operation e.g. shutdown
- recover content
- issue commands
what is a SQL query?
request for something to be done on a database
e.g. when logging into a website, you input username and password. when you press ‘enter’ the website queries your inputs against the database of usernames and passwords to check for a match. Allows if a match is found
what is an XXS attack?
occurs when malicious code is transmitted from a website and can access the victims’ data
- occurs when visiting another org website
- 3rd party web resource to run script on vitcims’ web browser
what is a buffer overflow attack?
another type of attack that overwhelms a systems resources
the excess data overwrites existing data
what is hacking?
gaining unauthorised access to a computer system
- might be deliberate attempt to gain access
- might want to alter data
why is hacking dangerous?
GAIN access to codes, passwords and authorisations
INTERFERE with control systems to gain open access to the system
OBTAIN information that is of use for competitors
CAUSE data corruption or delete files
how was Target a victim of hacking?
largest department store retailers
breach in 2013
user credentials stolen from third party
hacker uploaded malware into the point of sale systems
stole 40m credit and debit card info in the US in 2-3 weeks
what are the different types of hackers?
unethical hackers:malicious intent, typical hackers
ethical hackers:hack with company’s permission, help understand weaknesses in network, usually called ‘security experts’
what is the 3rd type of hacker?
sit between ethical and unethical
not good or bad, sell skill for monetary gain
what is a key element of hackers?
skilled in some way, whether technical skills or skilled in social engineering and deceiving people into taking action
what is a threat actor?
individual or group that either intentionally or unintentionally conducts malicious activities against an organisation
can include negligence or mistakes by a person or a group of people who do not have malicious intent
what is a weaponised document?
tool used by hacker document that is downloaded from a source (email, website, shared drive) that contains some code, a link or a video that once activates releases malware onto a system or network
what is social engineering?
manipulation of people to make them perform specific actions or reveal confidential information
The theory of influence is key to social engineering. What are Dr Cialdini’s 6 principles used to persuade or influence someone?
reciprocity
-people feel obliged to return the favour
scarcity
-something that is in short supply is perceived to be more valuable
authority
-if someone is deemed to be an expert they carry more power
consistency
-routine
liking
-people sharing some common traits are more inclined to like eachother
consensus
-follow behavioural norms
ARCSCL
what is phishing?
use of fraudulent messages to try to steal sensitive information such as passwords or credit card numbers, or to install malware onto a user’s computer
what tools do phishers use to deceive their victims?
phishers us a combination of communication tools to deceive their victims:
- SMS text message (smishing)
- email impersonation
- telephone calls (voice phishing or vishing)
- fake websites
what is spear phishing?
when a phishing attempt targets a specific user, rather than a blanket communication sent to many people
phishers would have carried out research into the specific person and their role and interest
allows the attacker to modify the communication to be more appealing or relevant to the victim, increasing the likelihood of its success
what is BEC?
Business Email Compromise is a way to phish or spear phish
known as imposter email and CEO fraud, BEC attacks involve impersonating an identity e.g. chief exec and asking for a particular action to happen of for a piece of information to be sent through
-rely on social engineering principle of AUTHORITY
what is domain fraud?
called out bound phishing
where the threat actors make an email appear to be from a legitimate source, but is actually from a malicious actor
-can create a sense of urgency i.e. SCARCITY
fraudulent domain name is another example of something that may be purchased on the dark web
e.g. email sent from @Amazonsupport.com instead of @Amazon.com
what are the most common approached to BEC?
spoofing email fields
-changing the reply to email address to make it look like it’s coming from the organisation e.g. replace o with 0
using scarcity
-putting work ‘urgent’ in or combining with perceived authority
variety
-target more identities than CEO and CFO
why are individuals cited as being the biggest cyber security risks?
often feel that they are not part of the information security defence systems
- can lead to actions that might compromise security
- focus elsewhere
What is an example of social engineering at Yahoo?
2013: engineer who had special access manipulated
duped by phishing email
$3bn accounts compromised and made available on dark web
didn’t realise full extent until breach revealed
large reputational damage
what are some examples of themes used in social engineering to attract attention?
food
shelter
love
money
overlap with Maslow’s hierarchy & basic human desires
how does day of the week help social engineering?
research indicates there is an increased volume of attacks earlier in the week, with over 50% on a Monday or Tuesday
-employee in rush to clear through backlog
which roles are attractive targets to hackers?
CEO: high profile but likely to have high security and hard to reach
HR: easily contractible and have customer and employee data
what are some considerations for who might be the most susceptible people to attack in an organisaiont?
use of social media
-know more about victim
likelihood of clicking
–more curious people will click link
access to customer data
-role privileged with customer info, PII is valuable on black market
access to confidential business data
-also valuable on dark web
access to C-suite employees
-assistant could have important information, could be a connection to target
location
-logs on from less secure network e.g. in public could easily be attacked
type of device
-some are easier to target e.g. can’t see full email on mobile
routine
-if routine is identifiable, can create attack opportunity or can impersonate target easily
is there a correlation between size of organisations and number of attacks?
no correlation
larger organisations may appear more appealing being able to breach their security
lesser known SME, with a smaller potential payoff, but weaker security in place would provide the opportunity for a threat actor to keep a steady income stream while they work towards a big target
how can threat actors use cryptocurrency?
makes it easier to send and receive money
what is the IoT?
internet of things is a network of devices, most commonly associated with devices around the home, where machines such as vehicles and home appliances contain software and sensors and communicate with one another either through the Wi-FI or via Bluetooth
-can be controlled and monitored from a remote ocation
how can IoT pose cyber security risks?
not always sufficiently secure
can often be interrogated wirelessly to reveal access codes
-remote access gives hackers control e.g. heating in factory
-hackers might try social engineering to gain access to the network by asking staff for passwords
businesses must decide whether the convenience that the IoT provides is worth the additional vulnerabilities and therefore security measures that would be required
what is social media?
term for a range of sites that may provide radically different social interactions
what are some examples of social media sites?
Twitter: people share short updates i.e. tweets
Facebook:allows updates, photos, joining events and a variety of other activities
LinkedIn: professional business-related networking site
Instagram:free photo-sharing program
what opportunities does social media offer?
advertising
brand development: post pics of product
Big Data analytics: monitor mentions, where and why
Methods of listening to customers:queries, complaints
Real time information gathering:quick polls
communications
recruitment and selection:advertise roles, avoid costly recruitment fees
selection:firms screen applicants by researching their web presence
what are the risks of social media?
human error
-mistakes by employees (clicking phishing link, questionable post) on personal accounts or organisations accounts
productivity
-employees can be distracted by social media
data protection
-increased regulatory requirements around protecting PII that could be gained from social media sites
hacking
-accessing organisation specific accounts and sending messages posing as the organisation
reputation
-well-meaning posts can be misinterpreted leading to criticism
inactivity
-not keeping a social media account could be as damaging as not using social media at all
costs
-to use social media could lead to significant costs, using it badly could lead to fines
what are the risks of social media to individuals?
going viral:can be food or bad, abuse, disabling accounts when bad
internet trolling:abusive responses are referred to as trolling
employment:companies may disapprove of your posts during
recruitment process
legal sanction:law enforcement can review social media posts to help
identify suspects, location etc
physical theft:showing you’re away from home
identity fraud: build up portfolio from what you post
permanence:hard to remove content, can take screenshots or download
what are the different types of vulnerabilities in an organisation?
technical:defects in software or poor protection
procedural deficiencies: IT related or user related
physical:physical event such as fire of flood causing damages to the information technology system
where do most breaches come from?
human vulnerabilities rather than technical or physical
- phishing related
- stolen or lost devices
- insecure networks e.g. in public
what are some examples of the implications for an organisation that is compromised?
downtime:unable to carry out service, production loss, lost revenue
reputation damage:name & brand value negatively affected
customer flight:customers move to competitors, need to prevent over-reliance on single customers
industry consequences:healthcare and financial services, cyber security breaches can be very costly as they are highly regulated
termination of employees:those accountable for breach or misconduct
loss of IP or trade secrets:lost trust in ability to protect customer details, threat actor could have compromised the organisation’s competitive advantage in the industry
legal consequences:fines, lawsuit costs and settlements can be very significant. 2018 GDPR
what is GDPR
General Data Protection Regulation is a EU law and in the UK replaces by the Data Protection Act (DPA) on May 2018
what are the 2 main objectives of GDPR?
- protection of fundamental rights and freedoms of individual persons with regard to processing personal data
- protection of the principle of free movement of personal data within the EU
who enforces the DPA?
the Information Commissioner’s Office (ICO)
aim is to keep personal data secure at all times
what does keeping personal data secure entail within the DPA or GDPR?
- passwords should protect files and digital devices
- sensitive documents should be locked away whenever they are not in use e.g. printouts
- personal data must sent/transmitted securely
- when it is no longer needed, personal data must be securely disposed of e.g. shredded
when can exemptions to GDPR be introduced?
only when restriction respects the essence of the individual’s fundamental right and freedoms and is a necessary and proportionate measure in a democratic society to safeguard things like national security and breaches of ethics in regulated professions
what rights do data subjects have under the GDPR compared to DPA?
have enhanced rights
- can request access to data held about them
- can request data is deleted
- can claim compensation for damages caused by infringement of the GDPR from the company controlling or processing their data
what could a breach of GDPR lead to?
- fined up to EUR10m or 2% of global income for failure to implement measures
- fine of EUR20m or 4% of global income for failure to comply with the principles of lawfulness, individuals’ rights or conditions of consent
what is the Computer Misuse Act 1990?
any fraudulent behaviour connected with computerisation by which someone attempts to gain dishonest advantage
what are the key objectives of the Computer Misuse Act 1990?
to make crimes of ‘hacking’ and theft of data
but does not provide definition of:
- computer
- program
- data
which 3 new criminal offences did the Computer Misuse Act 1990 create?
unauthorised access, even by employee exceeding clearance level = minor offence & penalty of 6 m imprisonment/fine/both
unauthorised access with intent to commit and then facilitate the commission of a further offence e.g. divert funds=serious offece & 4yr prison/fine/both
knowingly causing an unauthorised modification of the contents of any computer with the intention of interfering with the operation of that computer, preventing access to a program e.g. introducing virus-penalty of 5 years/fine/both
what laws are there in the US to protect data?
every state has its own laws protecting the PII of their residents but there are 2 major acts
Honest Ads Act:ensure companies like Facebook and Google employ reasonable efforts to ensure foreign govts and agents are not purchasing adverts on their platform to influence voters
-after 2016 elections
California Privacy Act:toughest privacy regulations in US and took effect in 2020. Users allowed to ask what data of theirs is stored and who has access. Can request orgs to stop selling data
-Not as strict as GDPR
what cyber laws are there in Chine
2017 Cybersecurity law
-requires companies that conduct business in China to review data protection policies and ensure compliance
also introducing e-commerce legislation covering areas such as data anonymisation, big data, overseas data transfers and information security
-companies that fail to comply with the law could face severe financial sanctions that could include losing their rights to conduct business in China
what cyber laws are there in Singapore?
changed Personal Data Protection Act to include aspects of the EU GDPR, on areas such as mandatory breach notification and the appointment of a data protection officer
2018: several insurance and financial organisations based in Singapore received fines for failing adequately secure personal data or breaching rules of use of personal data
is GDPR purely digital?
no
2019: Doorstep Dispensaree, a London pharmacy supplying care homes in the region, was fined £275k for GDPR breach
- 500k patient records in an unsecured location since before the new regulations were introduced in May 2018
- documents were left in unlocked crates, disposal bags and cardboard boxes in a rear courtyard, contain names, addresses, dates of birth, NHS numbers and medical information
which 3 does AICPA cyber security framework recommend a security mechanism should be based on?
protection
detection
response
what does cyber security risk governance include?
- how the management set the tone from the top
- standards for conduct
- the extent of, and access to, IT expertise at board level
- responsibility for overall cyber security within the organisation and across reporting lines
- the hiring and training of cyber security personnel
how can a company address governance considerations?
- a company handbook detailing policies and procedures relating to IT
- regular board meetings, potentially quarterly but more or less often as appropriate
- directors with relevant IT experience
- appointment of chief information officer (CIO) and CTO to look after technology
- reporting lines and accountability for cyber security
what C suite roles are IT related?
CIO with overall IT responsibility to the board
- CTO reporting to the CIO
- CISO reporting to CIO
CRO with overall responsibility for risk
risk committee
(CEO does all for smaller organisations)
the AICPA framework highlights the importance of governance in which areas in particular?
How management must consider the TONE FROM THE TOP
IT EXPERTISE at board level
HIRING and TRAINING of cyber security personnel
REPORTING LINES and RESPONSIBILITY for cyber security within the organisation
what are the cyber security objectives of an organisation?
availability
confidentiality
integrity of data
integrity of processing
how is information communicated internally within an organisation?
policies and procedures shared drive employee handbook training escalation procedure
how is information communicated externally within an organisation?
legal/law enforcement communications
disclosure policies with third parties
media communications
what areas of a company should be protected?
desktops laptops mobile devices servers network IoT data storage business application
what is a server?
- a device /program that provides functionality for other programs or devices
- single overall set up is distributed across multiple processes or devices
- usually a dedicated piece of hardware, computer can act as a network server
what is a network?
a method of connecting various devices and allowing them to share resources, applications and other devices
-allow multiple users to share a device like a printer
what are the methods of protecting vulnerable areas of the business?
policies and policy management software updates configurations: removing/disabling unnecessary functions security products:antivirus software application software controls
what are application software controls?
controls that ensure that data are correctly input, processed and correctly maintained and only distributed to authorised personnel
what are the 3 groups of application controls?
input controls
processing controls
output controls
what are input controls?
- checking and authorising source documents manually
- the use of batch controls
- pre-numbered forms
what are processing controls?
- computer verification and validation checks
- error detection controls such as
- -control totals
- -balancing
what are output contorls?
- monitoring of control logs
- physical checking of output
what are some application controls on smart phones?
- asking for authorisation before downloading app
- asking for permission before accessing microphone or camera roll
what are the specific types of protection a firm can use?
identification: usernames, unique ID
authentication: password verification of ID, access code, OTP
authorisation: appropriate access for the individual’s job requirements
encryption: only authorised recipients can view the data/information
physical security: CCTV, safes, security guards, working areas through locked door, doors locked if alarm goes off
certification:digital verification of sender or receiver ‘digital handshake’
email authentication:SMARC ensures email legitimises account or access
what are some examples of identification on Google documents?
shows who has accessed or edited document
what are some inherent problems with passwords?
- authorised users may divulge their password to a colleague
- many passwords may have associations with the user so that the hacker can guess them
- written down close to the computer and easily discoverable
what are some precautions adapted when password setting?
length: > 8 characters
variety: different characters e.g. numbers, letters, signs
significance: nothing predictable
change: change password regularly
unwritten: should never write down near laptop
private: should not share
single use: should not be used across many log ins
why are we too overeliant on passwords and what are the alternatives?
average person has over 100 passwords to remember and maintain
alternatives:
- biometric
- two factor authentication
what are brute force attacks?
where computer goes through every possible combination of password until match is found
can be done faster with a computer
can counter by blocking access after certain guesses
how long does it take to perform a brute force attack?
keyboard has 96 characters
with combo of 8 characters in password, takes 96^8 combinations
very powerful computer would take about 83 days to go through all the combinations
why does Whatsapp have end to end encryption?
so that all messages sent and received are only visible by the intended recipients
Not even Whatsapp can view the messages
cases where hackers have illegally accessed private data and photes
what is DMARC?
domain based message authentication reporting and conformance ensures that legitimate email is authenticated so that people can trust emails from the domains an organisation owns
what are the main forms of personnel control?
recruitment controls: pre employment screening
policies and procedures
training
supervision and monitoring:from managers and IT
should contractors be treated differently to permanent staff as a securityweakness?
no
should have same level of training and awareness
why do personnel controls have limitations?
threats constantly changing:threat actors develop so our training and controls should too
lapses:human nature experiences lapses, especially if targeted or well planned out attack
what are the most common types of certificate?
SSL: secure sockets layer being replaces by
TSL: Transport Layer Security
how can certificates cause disruption?
if certificate expires, means software isnt validated
- Xbox Live and Azure
- O2 and Ericsson
what is a Man in the middle (MitM) attack?
attacker secretly and independently makes connections between two parties and passes messages between them
aim is to make them think they are communicating directly with eachother while in reality attacker is in the middle controlling the conversation
- collects information
- specialist knowledge to target
how can companies protect themselves from MitM attacks?
certificates can protect companies and individuals from MitM attacks
why did DigiNotar file for bankruptcy after a MitM attack?
DigiNotar was a Dutch Certificate issuing Authority
hacked and issued 500 fake certificates
certificates granted access to 3000 gmail users
major web browsers lost faith in validity of certificates i.e. reputation
filed for voluntary bankruptcy
what are some detection strategies that organisations can employ?
event monitoring:log of events recorded in files
intrusion detection and prevention systems:monitor activity on ongonig basis
threat monitoring:study way hackers attampt to infiltrate
user reports:user reports identify unusual activity
what is a IDS?
Intrusion Detection System analyses and monitors network traffic for signs of suspicious behaviour that might indicate attackers are using a known cyberthreat to infiltrate the network or steal information
works by comparing current network activity to both expected traffic and a threat database to detect problems such as security policy violations or malware
passive system which will not prevent attacks
what is an IPS?
Intrusion Prevention Systems behave in the same way as a firewall, creating a filter between the outside world and the internal network
IPS are active applications which will deny suspicious network traffic if it appears to represent a known security threat
can only act on security threats that are already identified
how did Dr Ian Levy of the National Cyber Security Centre turn a potential hack into an info sharing lesson?
almost got duped by a prankster who sent a very convincing email pretending to be a colleague
asked the hacker to help educate people about signs to look out for when receiving phishing or spearphising email
wrote a blog together on NCSC website detailing what prankster had done and how Dr Levy spotted it was a phishing email
what is a CIRT?
Computer Incident Response Teams
what is a CSIRT?
Computer Security Incident Response Teams
what are the primary functions of the CIRT or CSIRT?
- minimise any losses
- restore normal operations as soon as possible
- assist with any investigations, internally or externally
- help provide data and information to support decision making and developing a planned response
- assist with communications during the critical periods with various stakeholders groups
how can we protect desktops against risk?
physical: locks (doors, cables)
authentication: passwords required, log off after inactivity
policies: automatic screensavers, security updates
how can we protect laptops against risk?
same as desktop
some business laptops have fingerprint and iris scanner
policies:safe storage guidelines
can be secured to desk by security cable but cable could be cut
how can we protect laptops against risk?
same as desktop
some business laptops have fingerprint and iris scanner
policies:safe storage guidelines
can be secured to desk by security cable but cable could be cut
how can we protect mobile phones against risk?
authentication: passwords and biometrics
policies: updates, downloads
autolock if idle
what are traveller laptops?
for the trip
have disk encryption with only necessary data on file
data removed after trip or laptop destroyed
what is BYOD and how is it protected?
bring your own device requires employees to submit the devices to the same companywise laptop security policies as company owned devices
policies: acceptable use, allowable software usage
sometimes it is just not allowed
what are NCMs ?
network configuration management is a vital part of the security process
- enables companies to set up a network to meet its communication needs
- organising and maintaining information about its network e.g. locations, IP addresses, default setting and versions of software that are installed
How can NCMs be protected?
maintain information about the network
segmentation to prevent cross over into different parts of the network
monitor changes in configuration
ban use of USBs as they might contain malware
how to curb access through wifi at university?
different network for different groups
- staff have access to more sensitive information
- student access has minimal control
how have NCMs reduced the effectiveness of ransomware?
organisations have data backed up and accessible so are no longer willing to pay
solution for the attackers is to do the exact opposite of locking data away, they are threatening to publish it for everyone to see an attack known as doxware
what are the 2 main types of firewalls?
network firewalls: restricted access to systems and websites
- like a perimeter fence
- block social media
application firewalls:monitoring
- additional security to network firewalls
- container:held within own environment e.g. citrix
how do antivirus and endpoint security help against cyber risk?
endpoint: helpful if many users, locations and devices.
- each device has remote connection and access point
- no unauthorised access
what is business continuity planning?
proactive and designed to allow the business to operate with minimal or no downtime or service outage whilst the recovery is being managed
what is disaster recovery planning?
reactive and limited to taking action to restore the data and applications and acquire new hardware
what does disaster recover planning involve?
- making a risk assessment
- developing a contingency plan to address those risks
what are some examples of backups some organisations now use?
mirror site
- copy of the website hosted on different URL
- can relieve traffic
- expensive approach
hot back up site
- building that physically replicated all of the current data centre/servers
- latest backup ready
warm back up site
- building that has all the critical hardware
- will need to be configured for latest backup
cold back up site
- an area where new hardware could be set up
- none of the hardware or backup is ready to go
- cheapest option
how does a system backup provide protection against the loss of corruption of data?
- faults in the hardware
- the accidental deletion of a file by a computer operator
- damage to a data file by a hacker
why would it have been worth the investment for BA to have a hot backup site in 2017?
- power outage
- no disaster recovery plan to core operation
- felt by passengers days later
- cost as high as £100m
why would it have been worth it for QuadrigaCX to have a business continuity plan?
founder passed away travelling
had sole responsibility for looking after funds and coins
only one with access
money, of $190m, is completely inaccessible
experts have tried to break in
should not have let him be sole guardian, esp with medical condition
-poor risk management
what is ISO27001?
standard produced but the INternational Organisation for Standardisation (ISO)
- concerns information security management systems
- focuses on all aspects of an organisation’s information risk management processes
what is the key principle of the ISO27001?
ensure proactive rather than reactive approach to cyber security risk management
what is the 6 part planning process of the ISO27001 specification?
- define a security policy
- define the scope of the Information Security Management System (ISMS)
- conduct a risk assessment
- manage identified risks
- elect control objectives and controls to be implemented
- prepare a statement of applicability
what is the PDCA?
Plan-Do-Check-Act mode
- structures processes in old version of ISO27001
- reflected in OECD principles
what is the ISO27002?
originally published as a rename of the ISSO17700 standards
what do B2B partners require due to the high regard for ISO standards?
require the partners to be ISO 27001 compliant
what is a blockchain?
decentralised, distributed and public digital ledger that is used to record transactions across many computers so that the record cannot be altered retroactively without the alteration of all subsequent blocks and the consensus of the network
BOE definition:technology that allows people who do not know eachother to trust shared record of events
what is the benefits of blockchain?
SECURITY
open record keeping mechanism that has been described as a form of collective bookeeping, provides an effective control mechanism aimed at preventing a hacker privately modifying records
what are the key features of blockchain?
- recorded by a number of participants
- agreement of all participants
- verification carried out by computers
- new block is added linking to previous blocks using cryptography hash, ensures chain never broken and permanent record exists
what happens if someone interferes with blockchain?
rejected by those network parties making up the blockchain whose role it is to verify the transaction
how can Bitcoin be acquired?
- exchanging other currencies for Bitcoin (most common)
- bitcoin mining (solve maths problems)
how can blockchain benefit the accounting profession?
- reducing the cost of maintaining and reconciling ledgers
- providing absolute certainty over the ownership and history of assets, the existence of obligations and the measurement of amounts owed to a business and owed by a business
- freeing up time to allow staff to concentrate on other responsibilities such as planning, valuation, reporting rather than record keeping
what potential does blockchain have?
- can streamline and speed up organisations
- improve defences against cyber risks
- reduce or entirely remove the need to use expensive 3rd party security application
- ERP uses
- reduced procurement sots, lower inventory levels
- avoid forex costs
what are the risks to blockchian?
it is not unhackable
- attractive to those wishing to use it for unauthorised purposes
- more time spent analysing ways to overcome the controls that are in place
what is the 51% rule in crypto?
if trader controls over 50% of the mining power in a cryptocurrency chain they can overwrite the controls and spend the same money again
mainstream crypto currencies less likely to be hacked in this way but smaller ones might be
what are the components of centralised monitoring?
event logging and aggregation
- keep record of activity e.g. log ins, areas
- superficial and not often used
- essential for admin and accountability in forensic analysis
- best practice would be to sent to SOC
security information and event management (SIEM)
- make monitoring more effective
- work alongside prevention methods
- look for patterns or unusual activity through data analysis
- identify threats
modern security operations centre (SOC) functions
- incident response team
- threat intelligence team
- hunt team
- insider threat team
what are the different functions of a SOC?
incident response team
- when threat identified by SIEM, process is initiated
- focus is on business continuity
threat intelligence team
- monitor and identify threats
- especially industrywide
- pass information onto monitoring
hunt team
-look for sign of intrusion
insider threat team
- check who is causing threat internally
- investigate internal environment
what are some examples of the dap between security breaches and detection increasing as attacked act in a more discrete manner?
Verizon 2018 Data Breach report:
- 87% of breaches took only minutes or less for attacked to compromise systems
- only 3% were discovered quickly, 68% went undiscovered for months
- only industry where threat from insider is greater than external actor is healthcare. Human error large factor and curiosity another eg. celebrity details
what is forensic analysis?
process of examining the things that have been left behind by the attack/attacker to increase understanding about the attack and how the systems were breaches to be able to improve defences in the future
what are the 3 main areas to consider in forensic analysis of cyber-attacks and cyber security
system level analysis
storage analysis
netwrok anlysis
what is system level testing?
look at:
- system components:what has changed
- configuration changes:settings of the systems and how programmes run can be affected by malware
- services enabled without authorisation:once the malware is installed the attacker needs to be able to access the system again in the future to enable theft or further intrusion
- fake accounts created:setting up fake accounts is a common way to re-enter a system
what is footprints in the sand?
once it is known that a system has been compromised, the first stage is to identify what part of the system is affected
what is storage analysis?
- deleting corrupt files
- spotting files that are unreferenced or undetected
what is network analysis?
monitoring the amount of data moving across a network at a single point in time i.e. network traffic
- doesn’t show what data but which users are on the network
- spots users at unexpected time or level
what is malware analysis?
analysis on malware to understand more about it
- how it got on
- purpose
- intended for this organisation specifically?
can improve future defences
reverse engineering or decompilation and disassembly
what is reverse engineering?
deconstruct the subject to understand how it was designed and how it works and whether you were intended target
unravel layers: code and functionality hid below layers of code ‘obfuscation’
what is decompilation and disassembly?
once layers of code removed, vital analysis required to understand how it works and why it was put into their system, especially if it was a targeted attack
as in fraud investigation, understanding how the opportunity to infect arises and discovering motive is important
what is penetration testing?
testing how good cyber security of a company is
can involve use ethical hackers who hired to try and penetrate the network or system
types include
- network discovery
- vulnerability probing
- exploiting vulnerabilities
- internal network penetration testing
- web application penetration testing
- wireless network penetration testing
- simulated phishing testing
what is network discovery?
external network or infrastructure penetration testing
understanding the scope of a network, all the devices that connect to a network from desktops and laptops, right through to smart phones and the IoTs
what are some of the issues that can be discovered through network discovery penetration testing?
- operating systems, applications and server managements systems that do not have the most up to date security patches
- insecure or unused network protocols
- software, firewalls and operating system that are not configured correctly
how are end points and access points related?
more end points there are in a network, the more access points there are to that network
if any of these do not have up to date security features or the latest patches that are a potential vulnerability for that network
what is vulnerability probing?
identifying devices connected to the system that are the most susceptible to an attack
what is exploiting vulnerabilities?
where the ethical hacker attempts to gain access to the system, seeing how long it takes and what access can be gained
what is internal network penetration testing?
ethical hacker is granted an internal profile
it is important that an organisation appreciated it is not just external threats, bu disgruntled employees could provide internal assistance to hackers
can test:
- inappropriate access by internal users
- unsecured workstations
- weak or unchanged passwords
what is web application penetration testing?
looking for poor set up of web based applications due to poor design, coding and publishing
- identify potential for injection (lack of validating processes)
- cross-sire scripting opportunities
- the ability for a user to gain access to more of the application or site than they should (i.e. privilege escalation)
what is wireless network penetration testing?
seeks to identify any rogue devices or access points that should not be in an organisation’s secured environment
- open access points or rogue access points
- badly configured wireless networks
- accidental duplication of wireless networks
- insecure wireless encryption
what is simulated phishing testing?
where the organisation checks how well the workforce follow training/internal guidance with regards to phishing attempts
what is software security?
process of writing security into software
-attacks are complex so security needs to be considered
what are the 3 levels of security software?
Level 1: prevention of access to the software from unauthorised sources
Level 2: writing detection of unauthorised access into the software
Level 3 is writing the response into the software, alerting appropriate teams/departments to investigate the breach
what are the other considerations of software secuirty?
design review:considering the implications of technology development and the interconnectivity of devices, when the software for some devices was designed the devices did not have the important they have now
code review: considering how the code is written and how someone proves they should be allowed access to the software
security testing: internal audit type review to check controls are being carried out and are appropriate for the risk
what is two step verification vs two factor authentication?
two step: requires two forms of the same type of information, each from a different source e.g. password then code from email or SMS
two factor: prove they have access to system in two different ways e.g. password then finger print or access through trusted device
companies switching to two factor as increased security
what is security testing?
internal audit-type review will be required to test whether the controls are actually being carried out (compliance) and are appropriate for the risk area (substantive)
what are the 2 key software controls in existence in most organisations?
version control: links into network configuration management (NCM) and monitors the various devices on the network to make sure that the software operated is still supported by the software provider
- as software gets older, flaws in the software become better known so more susceptible to attacks
- after a few versions will be at end of life
patch management:provider of software becomes aware of flaw and issues update to the software to correct the flaw
- uses NCM organisations to push software updates thorough devices
- updates run at different frequency
- ISO27001 compliant control
what is the SDLC?
the systems development life cycle are the 6 stages within a system’s life cycle
planning: PID, PQP, WBS, budget
analysis: get to root of problem via user involvement e.g. questionnaires, complaints review
design: prototyping
development: build the system which has been agreed on
implementation: staff training, file conversion, documentation, testing
review: post completion audit/review, cost, timescale
what are the system development risks?
- they fail to satisfy the user’s real requirements:the system was specified incorrectly
- they do not provide the data processing or information for which they were designed or to the quality expected
- the system was therefore designed and programmed incorrectly
- they cost much more to develop and run than expected. The system is therefore less efficient than expected
what is the first stage of creating an effective incident response plan?
consider which key functions and departments need to be represented
may consider cyber security consultants, internet service provider and outsider IT experts
create a list of roles, responsibilities and contact information
how can the CIMA risk management cycle be applied to creating an incident response plan?
Identify risk areas
Understand and assess the scale of the risk:which digital assets , network set up and source of the breach, weaknesses
Development of risk response strategy:review the current response that the organisation has in place and any finding from penetration tests
Prioritisation:scale the risk, identify potential and actual security compromises
implements, monitor review and refine
- consider risk appetite
- consider threats
- include a triage or workflow to help stakeholders
- guidance about communication:not too often or too little
- think like attacker
what is triage?
comes from medical profession where prioritisation and treatments are decided based on severity of the patient’s condition and their likelihood of recovery with and without any treatment
in cyber security, patient would be the technology that has been compromised by a cyber-breach
what are the key things to remember when implementing the incident response plan?
- keep calm and use the plan
- understand what is developing: scope and context
- track everything:evidence will help
- involve legal and PR as appropriate
- use a trusted partner
What are the 6 actions an organisation must consider in Beyond Cybersecurity to achieve Digital Resilience?
Identify all issues: understand what an organisation has and how it is protected
Aim toward a well-defined target:set a stretching, understandable and achievable target
-prioritisation of key issues and remembering basic controls
Work out how best to deliver the new cyber security system:considering roles, responsibilities and potentially change management issues
Establish the risk resource trade offs:reviewing different potential solutions and selecting the most appropriate
Develop a plan that aligns business and technology:regulatory and future developments should be considered
Ensure sustained business engagement:all employees must be involved and understand their role
what are the three types of control to improve security?
business process controls
IT controls
cyber security controls
cyber security controls is usually the focus
why is it unlikely any regulatory requirements will come in in relation to cyber secuity?
complex and rapidly changing environment
what is the AICPA?
a global association formed by CIMA and the American Institute Certified Public Accountants, formed in 2017
AICPA stands for Association of International Certified Professional Accountants
first major association to consider not just how to deal with cyber security issues but also how to report to stakeholders about cyber security
what was the aim of the AICPA framework?
to consider the needs of the various stakeholders in any organisation from the board, managers, investors, funding providers etc
what are the 3 key components of the AICPA reports?
management’s description: main part of the report and include a description of the sensitive information, risks and controls in place, detail should be in line with the AICPA description criteria and control criteria
management’s assertions: management give their opinion if the risks were described in accordance with the criteria and if the controls were appropriate
practitioner’s opinion:final section is where a qualified practitioner gives their opinion on the description of the risks and whether the controls in place are effective
what is the 2 set of criteria in the AICPA cybersecurity risk management report?
description criteria: very detailed 33 page document and links into cyber security risks
control criteria:this is a comprehensive document over 300 pages and lists out various potential risks and potential controls an organisation could have in place, references to the COSO Framework
what are the attributes of the description criteria on the AICPA cybersecurity risk management report?
relevance: to the business operation
objectivity: free from bias
measurability: criteria can be reasonably measured using a consistent approach
completeness: relevant factors are not omitted
what are the nine categories of description criteria that management should consider?
nature of business and operations: what business the entity is involved in and day to day operations
nature of information at risk:consideration of the types of sensitive information the entity is involved with (creation, collection, transmission, storage) that would be subject to cyber security risk
cyber security objectives: explain main objectives, availability, confidentiality and integrity of data
factors that have a significant effects on inherent cyber security risks: technologies, delivery channels, organisational and user characteristics, changes in the period that could affect cyber security risks
cyber security risk governance structure
cyber security risk assessment process
cyber security communications and quality of cyber security information
monitoring of the cyber security risk management program
cyber security control processes
what is the NIST cybersecurity frameowkr?
NISTL National Institute of Standards and Technology
-non regulatory agency of the US department of COmmerce
what is the National Cyber Security Centre?
section in the UK GCHQ that gives advice to UK organisations and individuals about staying safe online
what are the 3 main components of the NIST cybersecuirty framework?
Implementation tiers: provide the context linking into risk appetite, budget and mission
Core: provides a set of cyber security activities, base on five principles:
- IDENTIFY threats to an organisations systems and data
- PROTECT against threats
- DETECT when a system has been breached
- RESPOND effectively to systems breaches
- RECOVER any compromised data and the systems affected
Profiles: map the objectives to the desired outcomes of the core
what is the AIC Triad approach to cyber security?
aimed at helping organisations understand information security and set up policies to help protect the organisation
what are the 3 elements of the AIC Triad? What else is it known as?
CIA Triad or the Security Triad
Availability: systems must be online and available, otherwise organisations cannot do business
Integrity: making sure that people who modify data are authorised to do so means the data is more likely to be accurate and trustworthy
Confidentiality:when data is being stored and when it is in use or in transit there need to be rules in place to limit access to those who are authorised to use it
theres are also fundamental concepts in AICPA approach but is more accessible and likely to be used by smaller businesses
how can organisations protect against downtime and ensure availability? (AIC Triad)
keeping up to date with software patches
understanding networks requirements and busy times
disaster recovery planning
business continuity planning
how can organisations maintain integrity in data? (AIC Triad)
user assess controls
check on data to ensure it is the same before and after transmissions
version controls, so if data is accidentally deleted back up can be restored
how can organisations maintain confidentiality? (AIC Triad)
training on risk factors and protecting against them:
- social engineering approaches
- password best practices
- data encryption
what are some developments that pose particular challenges to frameworks?
big data
IoT: more access points and bigger threats
privacy: fragments of data accessible at endpoints can be collated ot form PII
security: software updates
what are the limitations of frameworks?
- no defence is risk proof
- can only provide reasonable assurance
- can be expensive to implement and CBA analysis should be carried out
- patches and anti-virus software are only designed to cope with known threats or weaknesses
