Cybersecurity Concept &

Defense best practices

Presented by

Wajahat Iqbal

B.E(Computer Science),ISO 27001 LI,ISO 22301 LI

Cybersecurity Concept & Framework

Definition Cybersecurity Domain is a collection of best

practices,Technologies,Frameworks & Standards to protect an enterprise,organization ,Govt entities,Military establishment,Individual user from global cyber threats(Theft Identity,Cybertheft,Cyber-ransom,Infrastructure damage) resulting in either Financial,Economical,Copyright Information,Personal identity,Infrastructure loss.

3

Major Cybersecurity standards NIST Cybersecurity Framework (De-facto standard)

ISO 27001 (Information Security Management Framework)

ISACA COBIT5

NIST SP800-53

NIST SP800-30

ISA 62443

ISO 27005

The Cybersecurity standards were first adopted in the Seoul (South Korea) Conference on Global Cybersecurity in 2013

4

Cybersecurity holistic view

Manage physical access to IT Infrastructure

Manage sensitive documents and output Devices

Monitor the Infrastructure for security related Events

Protect against Malware (*** Most challenging )

Manage Network and Connectivity security

Manage User Identity and logical access

Protect critical and vital Infrastructure (Banks,Vital Industrial installations,IT,Nuclear power,Dams,Defense)

5

Cybersecurity Lifecycle The Cybersecurity Lifecycle can be described aptly by the

below (Figure-1) which decomposes the various stages .

6

(1) Identify Business

outcomes (2)Understand Vulnerabilities

Threats

(3)Create current profile

(4)Conduct Risk assessments

(5)Apply Controls

(6)Create Target profile

(7)Determine/

prioritize gaps

(8)Implement plan

(9)Report to stakeholders

(10)Continuous monitoring

Cyber security Lifecycle

Risk actions

7

Risk Actions: The most generally accepted Actions on Risk Management Cycle are: (1) Risk Acceptance (2) Risk Transfer (3) Risk Avoidance (4) Risk Mitigation – Most practised action Depending on Risk Appetite/Risk Tolerance threshold of an Organisation These are drawn from the ISO 27001 Standard for ISMS which is the most widely used and accepted standard on IT Security involving Risk Management processes

HACKERS & ATTACKS

Threat to Cyberdefense

9

The damage caused by threats to Cyberdefense can be characterized by loss of “Confidentiality, Integrity or availability (CIA)”, the basic model of Data Security as practiced in ISO27001/27002 and other globally accepted standards

Hackers profile

The different type of Hackers are:

Individual Hacker

State Sponsored (With Political & Military Agenda)

Cyber Criminals (Organised Mafia)

10

Hacker Kill Chain The USA Aeronautics Major Lockheed Martin – Kill Chain

methodology describes seven steps from reconnaissance through actions on the objectives and recommends defenses be designed to align with each of the seven steps in the process below:

11

Summary of Kill Chain Reconnaissance:

Finding the Host,Internet Website,Domain

Do IP Address Scan of the Business Domain

Do Port Scan of the Active hosts

Automated scanning by Botnets (Compromised Systems)

Locate Network Topology and identify potential access control Devices

12

Summary of Kill Chain(Cont’d) Weaponization:

Identify the Vulnerability

Initiate the Attack

Coupling a remote access Trojan(RAT) with an Exploit into a deliverable payload,typically by means of an automated tool (The commonly used weaponizer are Adobe PDF and Microsoft Office documents)

Delivery:

Transmission of Weapon to the targeted environment

Three most prevalent delivery vectors for weaponzied payloads are – Emails,Compromised Web Sites & USB removal media

13

Summary of Kill Chain (Cont’d) Exploitation:

Email,Website &USB explore a Vulnerability on launch and Hacket gets remote access to admin Shell

Exploitation targets Operating System or Application vulnerability

Installation:

Install Malware(Malicious Code) into Memory,Disk or Operating System Kernel,modify windows registry,modify Unix Kernel

Allow installation of remote access Trojan or backdoor on the victim system

14

Summary of Kill Chain (Cont’d) Command & Control (C2):

Compromised system/hosts beacon back to the Master Controller to establish C2 Channel

Hacker gains complete control of the compromised system

Intruders have “hands on the keyboard” access to the targeted environment

Action:

This Activity is data exfiltration that involves collecting,encrypting and extraction information (e,g Deface Website,Steal Credit Card Information,Steal Copyright Information,Steal IE passwords,Modify Banking websites,Steal medical records) etc

15

BOTNET Attack(Automated) These days professional Hackers,Malware developers,Cyber

Criminals work in tandem to develop automated Tools to initiate a Cyber Attack against the intended victim/host.The mechanism is to install remote access Trojan(RAT) on compromised system(BOTNETS) which could number in thousands and then initiate the attack in phases as shown in Figure- 2 (next page)

Key Components of a BOTNET Attack:

BOTNET Construction Kit

Command & Control Capability

Remote Access Trojan(RAT)

Custom developed Malware(Malicious Code) for the intended Victim/Host

(Example BOTNET Attacks - ZEUS,CITADEL,GO ZEUS) 16

BOTNET Attack(Automated) These

17

Type of Cyber Attacks

18

Famous hack attacks

19

MALWARE

Malware:Types & Protection

21

SOC - CYBERSECURITY ARCHITECTURE

SOC Components Lately SOC has become an integral part of any

Organisation to protect itself from Cyber attacks and detect/correct/recover from a Cyber Incident in the quickest span of time without further damage to its reputation. The critical components of a SOC are:

IDS/IPS Infrastructure

Firewall Infrastructure

SIEM (Security Information and Event Monitoring System)

Logging and Alerting mechanism

Security Incident Processes

Forensics capability

User Training & Retention

Managing Evidence

23

SOC Individual Process Layers

24

Cybersecurity Architecture

25

• Network Security

• Identity,Authentication and Access Management

• Data Protection and Cryptography

• Monitoring Vulnerability & Patch Management

• High Availablity,Disaster Recovery & Physical protection

• Asset Management & Supply Chain

• Policy,Audit,E-Discover & Training

• Systems Adminstration

• Application Security

• Endpoint,Server & Device Security

Cybersecurity

Architecture

The Cyber Architecture consists of the following components:

Defense in Depth(DOD)

This is the most common practice employed by Organisation to create and implement a multilayered approach to Cybersecurity.It is described by the following process (Figure-3) and can be implemented at various layers of the Network Infrastructure

26

.

9 Basic steps of Cybersecurity These are the guidelines to follow while drawing up a

comprehensive Cybersecurity program in an Organisation

#1 : Explore the Legislation and other requirements

#2: Define the Business benefits and get top Management support (Very Important)

#3: Setting the Cybersecurity requirements

#4: Choosing the framework for Cybersecurity Implementation

#5:Organizing the Implementation(Setting up Teams,PM Resources,Project Charter,Budget etc)

#6: Risk Assessment & Mitigation (Applying Controls)

#7: Implementation of Controls

#8: Training & Awareness

#9: Continuous Monitoring and Checks

and Reporting to Senior Management (C Level Executives)

27

Cybersecurity operational processes To maintain an effective Cybersecurity posture,the CISO

should maintain a number of enterprise operational processes to include the following:

Policies and Policies Exception Management

Project and Change Security Reviews

Risk Management

Control Management

Auditing and Deficiency Tracking

Asset Inventory and audit

Change Control

Configuration Management Database Re-Certification

Supplier reviews and Risk assessments

28

Cybersecurity operational processes CyberIntrusion Response

All-Hazards Emergency preparedness Exercises

Vulnerability Scanning,Tracking & Management

Patch Management & Deployment

Security Monitoring

Password and Key Management

Account and Access periodic Re-Certification

Privileged Account activity Audit

29

SANS TOP 20 CRITICAL SECURITY CONTROLS

SANS top 20 Controls These are widely established critical controls to maintain a

healthy Network security posture

31

INCIDENT PROCESS & MANAGEMENT

Incident Process & Management

33

NETWORK PERIMETER SECURITY (BEST PRACTISES)

Network perimeter best security practises

Restrict use of administrative utilities(e,g Microsoft Management

Console) Use secure File permission system i.e NTFS & UFS File System Manage Users properly especially the Admin Accounts on Unix &

Windows machines Perform Effective Group Management for – Admin,Print,Power,Server

operator & Normal Users in Windows 2000 O.S Enforce strong password policy,password aging for Users Enable Windows O.S and Unix O.S logging facility Eliminate unnecessary Accounts (especially the Employee’s who

have left the Organisation) Disable Resource sharing service and remove hidden administrative

shares – C$,ADMIN$,WIN NT$ in older version of Windows O.S Disable unneeded Service in Unix – Telnet,Finger ,tftp,NTP(Network

Time protocol) Applications should use the latest Security patches in Production

Environment

35

Network perimeter best security practises

Enforce using NAT(Network Address Translation) & PAT(Port Address

Translation) in internal Network (Firewalls & Routers) Enable DNS Spoofing,DOS Attacks (Smurf & Direct Broadcast

Attacks) mitigation policies on Gateway Routers via ACL and Cisco IOS Enforce Best Industry practice of secure Application Coding to

mitigate “Buffer Overflow” Vulnerability in the Memory Enforce strong password policy,password aging,lockout policy for

Application Databases (Oracle,Sybase) Install latest O.S and Application patches as soon they are available

from Vendors Install latest Security patches for Browsers,Flash Players,Microsoft

Applications Update the Anti-Virus & IDS/IPS /HIDS Signatures on frequent basis Update the Business Continuity/DR Plan and keep latest backup of all

critical Servers

36

Network perimeter best security practises

Update and Install latest Security patches for Application Gateways(Proxies),Web Filltering Devices,Firewalls

Check the Logs daily on Firewalls,IPS/IDS,HIDS for any Security Incident triggered by any malicious Activity

Implement Industry Best practices to secure the Network (NIST Guidelines,SANS 20 Critical Security Controls,NSA Guidelines etc)

Place the Mission Critical Web Servers (User Interface) on a Screened Subnet,DMZ and the backend Application Server & Oracle Database Server in the internal Network

Change the Default Password of SNMP Community string on Network Devices

37

NETWORK PERIMETER SECURITY (CASE STUDY)

CASE STUDY – Cyber attack secure design

39

CASE STUDY – Cyber attack secure design Design Features:

Border Router:A Gateway Router connects the network to the Internet and provides basic Filtering through ACL(Access Control Lists) on Ingress & Egress Interfaces

Just behind the Gateway Router is Stateful Inspection Firewall that enforces the majority of access control of the network

Public services and private services have been separated by putting them on different network segments (DMZ,Corporate & Screened Subnet)

Split DNS is being used on public DNS Server and it provides Name resolution for public services only

Intrusion Detection Systems(IDS) are located on the public,private,network perimeter end points to watch for unusual activity

The Front end Application Web server is on the Screened Subnet and the backed Oracle DB Server is behind the Internal Firewall

40

CASE STUDY – Cyber attack secure design Host based IDS(HIDS) complement the Network by adding

additional layer of security and are placed on the individual mission critical servers(Anti-Virus,Email Proxy,Web Proxy,Internal Email Server,Oracle DB Server) to monitor the systems network activity,log files,Files Systems Integrity and User actions.A host based IDS will also detect and generate an alarm when it detects escalation of privileges for a Guest user to Admin Account

Host based IDS can help detect attacks that network IDS evasion techniques

Host based IDS is also useful for correlating attacks picked up by Network sensors

All security log entries are sent to the SIEM(Security Information and Event Monitoring System) for Data Analysis and Forensics.The SIEM generates an Alert when suspicious activity is detected

For the Remote Office users all their Laptops are installed with Personal Firewalls to mitigate/detect Hacker entry through backdoor channels

41

CASE STUDY – Cyber attack secure design

All configuration of security devices is performed from the management console

Additionally one can install TACACS,RADIUS Servers to monitor Users access on the Gateway Router and other mission critical Servers

The sample Rule base configured for the above Network Design on the Stateful Inspection Firewall can be as follows (Illustrative purpose only): Next page

42

CASE STUDY – Cyber attack secure design

43

CONCLUSION

Conclusion Note:

The process to securing and making a perfect “Digital World” is a ongoing continuous Journey ,and with ever changing Modus operandi of the Hackers and the Cyber Criminals globally,we always have to be one step forward in the race to protect our Digital Assets,Intellectual property,Identity,Infrastructure.

Thank You

(Wajahat Iqbal)

44

Disclaimer Note:

This is Copyright Material © of Wajahat Iqbal (2016) and the Information shown is collected from Internet repositories and any typo, error, omission is regretted on behalf of Author.The Author does not hold any responsibility or liability for the incorrectness of the Information shared.This technical presentation can be shared/Printed/Distributed keeping in view that Credit is given rightly to the Author.

Contact E-Mail: Wajahat_Iqbal@Yahoo.com

LinkedIn: http://www.linkedin.com/in/wiqbal

45