A. Bab 1 : Evolution of a Profession
If you were to liken the IT
industry to a three-ring circus, computer security was a sideshow; the unicycling
monkey of the IT world. It was staffed by the geekiest, socially awkward
technical geniuses who no one really wanted to see, but they were still there
in the shadows doing their thing, because they had to be. The focus of security
was to configure the technical measures in hardware and software to keep out
script kiddies and make sure that systems kept running without the phreakers and
hackers stealing precious bandwidth.
Over the next four decades,
the world shifted. The adoption of ubiquitous home and enterprise computing saw
security professionals dedicate more focus to the information they were
protecting. From a metaphorical perspective, security refocused its lens from
technology to information, allowing the security experts to consider management
systems and processes that they’d never considered before.
This shift away from
technology to a more holistic viewpoint of business saw computer security rebranded
to information security .
“Cyber has become a ubiquitous
prefix in today’s media that means anything concerned with Internet privacy or
security. It’s rare that a day goes by without hearing or reading about
cyberwar, cyberattacks, cybersecurity, cyberbullying, and cybersafety. But
where did this peculiar prefix come from? The first evidence of usage (aside
from the Greek root meaning governing ) dates back to the 1940s, when mathematician,
Norbert Weiner wrote about cybernetics as computer systems that could one day
run on feedback and be self-governing. During the 1980s, the term was prepended
to any word to make it sound futuristic or cutting-edge, replacing the less
cool terms, digital. In the 1990s, cyber developed an entirely new meaning as
cybersex arrived on the scene, referring to virtually making out (among other things)
with your partner in dial-up IRCs and online forums. As the years trundled by
and the concept of cybersex was largely replaced with online pornography and
dating sites, the term was taken back by the government and the military
started referring to the next shift in warfare paradigms being into battleground
of cyber. And with cyberwarfare, came cybersecurity, cyberattacks, and cyberintelligence.
Today, cyber can pretty much be appended to anything you like, but the media
has focused its use primarily on the security industry, hence we have all
become cybersecurity professionals, whether we like it or not.”
The Language of Security :
a.
CIA
There are three special security properties—sometimes
referred to as the three tenets of security— that are fundamentally at the
heart of everything we do. Every risk you mitigate and every control you
implement is from the perspective of one or more of these properties. Figure
1-2 shows the relationship between confidentiality , integrity , and
availability and how they apply to every asset we protect.
1.
Confidentiality
A loss of confidentiality can occur in many ways, such
as through the intentional release by someone who has legitimate access, such
as a trusted (but not trustworthy) employee or systems administrator. This could
have a negative effect on the company’s share price and damage any competitive
edge they might have in the market. This might have a knock on effect on
profits for years to come.
2.
Integrity
Maintaining integrity ensures the following:
• Unauthorized personnel or processes do not make
modifications to data.
• Authorized personnel or processes do not make
unauthorized modifications to
information.
• Information is internally and externally consistent.
3.
Availability
Here are a few examples that show just how important
availability can be:
• A maintenance company cuts through the main power
supply to your datacenter,
but you have no backup generator. Your systems are no
longer available to your staff
or customers.
• A hacker launches a denial of service (DOS) attack
against your website and your
users are no longer able to browse your inventory or
checkout their purchases.
b.
Non-Repudiation
There is one additional property—called non-repudiation— that exists
alongside the CIA triad and is equally as important to consider in a variety of
special circumstances. ISO/IEC 27000:2012 defines non-repudiation as the “ability
to prove the occurrence of a claimed event or action and its originating
entities . ”
c.
Threats
and Vulnerabilities
ISO/IEC 27000:2012 defines a threat as “the potential cause of an
unwanted incident, which may result in harm to a system or organization.”
Threats are any action or actor that may causes an unwanted consequence, such
as a breach of confidentiality or loss of service.
To be considered a threat, an incident or violation doesn’t have to
occur. Your job is to identify that this threat might occur and use this
knowledge in a process called risk assessment— more on this later.
d.
Risk
and Consequence
The management of information risk is at the heart of everything we do
in information security management. Risk is defined in ISO/IEC 31000 as “the
effect of uncertainty on objectives.” It might not have occurred to you before
that risk can have both positive and negative effects on business objectives: a
deviation from what is expected could well be a positive shift. This means that
some risks result in good outcomes, even if it is somewhat unexpected, such as
when the stock market unexpectedly moves in your favor.
B.
Bab 2 : Threats and Vulnerabilities
I.
Threats
Threats come
from a variety of sources. Some are physical, such as floods and volcanoes,
while others are digital, such as from hackers, criminals, disgruntled
employees, or competitors. This section looks at the overall threat landscape
(this term denotes the plethora of threats that potentially affect our
information’s confidentiality, integrity, and availability), the threat actors
(the people that enact those threats) and the kinds of malware and weaponized
code being used to perpetrate such attacks.
1.
The
Deep Web
The hidden network that exists within the Tor service
is often referred to as the deep web . However, there are myriad other names
it’s been dubbed with over the years, such as the dark web , darknet , and the
dark market . No matter what it’s called, it operates much like the rest of the
Internet, in terms of websites, file services, and web services, with one main
difference: it’s completely anonymous and unindexed (i.e., you can’t find links
to these services in Google, Yahoo!, or any other traditional search engine).
It contains a
plethora of services, such as all of these criminal hacking and malware
pedaling sites, and is the first port of call for researchers and
counter-intelligence officers trying to keep ahead of what the cyber criminals
are up to.
In effect,
the deep web is a collection of connected systems that are protected using the
encrypted overlay provided by Tor, which may appear at first glance to work
much like the standard Internet, however,there is one main difference (from a
user perspective) insomuch that sites are not indexed by standard search
engines, such as Google. You’ll not be able to find links to sites, such as the
Silk Road, from a Google search; instead, you’ll need to know how to get into
the Tor network, and then you’ll need to know the special .onion URL to find
your way to that target site.
2.
Malware
as a Service
This productizing of malware has led to a
restructuring of the exploit marketplace, where hacking as-aservice (HaaS) is
now the preferred delivery model. HaaS allows anyone who wants to dabble in
cybercrime to get started, even if they have no technical skills at all.
Hackers can simply license the malware they need from a developer, or hire the
hacking group (by the hour) to launch attacks on their behalf. Obtaining the
tools is also very easy. There are websites dedicated to selling malware
developers’ wares, where sellers offer tailored services specifically for the
purposes of hacking the chosen target. This means the hacker can afflict any
combination of negative outcomes on their target with little to no technical knowledge,
for a very reasonable service fee.
3.
Criminal
Motivations and Capabilities
Some of the most devastating cyberattacks we’ve seen
over the past few years demonstrate well how aligned the modern cybercriminal
landscape has become with traditional crime:
·
Anthem
: This health insurance provider was hacked by an organized crime group
in order to steal customer health records. Health
records are extremely useful on the
black market, fetching a much higher price than credit
card records, since they can
be used to create false identities, leading to much
more significant profits and, unlike
credit card information, your name, address and social
security numbers cannot be
changed.
·
OPM
: We looked previously at the attack on the US government’s Office of Personnel
Management , however, to classify it against standard
criminal activity, it really falls
into the category of espionage.
·
Ashley
Madison : This dating site was hacked by a group of activists who believe the
organization was furthering immorality in society by
encouraging people to cheat on
their spouses. Activism in cyberspace is known as
hacktivism , but it remains activism
nonetheless. Ashley Madison is one of the first hacks
that resulted in the deaths of at
least two affected victims.
·
Sony
Pictures : The massive and sustained attack on Sony Pictures saw copyright
material leaked onto the Internet, along with emails,
celebrity contracts and a
plethora of other potentially damaging material. This
hack was attributed to North
Korea by US law enforcement; however, it can’t really
be considered as espionage
because it wasn’t politically motivated. Rather, it
was posited as revenge for the
portrayal of North Korea’s leader, Kim Jong-un, as a
psychotic idiot in the movie skit
The Interview .
II.
Vulnerabilities
1.
Technical
Vulnerabilities
There are many
kinds of technical vulnerability you need to consider when performing a risk
assessment for your business. Operating systems and applications have been
developed from millions of lines of complex code and often have a variety of
errors and oversights that are left in the system once compiled. These errors are
not necessarily ones that affect operations therefore are not found until
someone specifically tries to find ways to exploit your systems.
2.
Non-Technical
Vulnerabilities
As a security
manager you need to properly understand how physical and process vulnerabilities
affect your business and security and how they should be addressed within a
holistic approach to your security architecture. In this section, we’ll look at:
a. Physical Vulnerabilities
In the previous section in this chapter we looked at some of the physical threats our business systems and information might be affected by, such as fires, floods, and earthquakes.
b. Process Vulnerabilities
The technical vulnerabilities in systems are just one perspective of where you’ll find weaknesses that can affect a loss of confidentiality, integrity, or availability. Security managers need to be aware of the underlying processes that keep the business safe and ensure that there are minimal vulnerabilities in those that can also lead to a compromise.
c. People Vulnerabilities
Finally, one of the biggest considerations the information security manager must make is that of how to deal with the vulnerabilities introduced into the organization by staff. People can introduce risk into the systems they manage, through complacency, carelessness, simply not understanding how to do something or why something should be done the way it’s specified, or through malicious intent. We also use people as the developers of our systems, which is where many of these issues come from in the first place, and for any one of myriad reasons, bugs can be introduced into the systems you are developing (both from a software and a hardware point of view).
Source: Campbell, Tony. 2016. Practical Information Security Management. XXVII, 237. Apress.
1 Comments
I read your blog and i found it very interesting and useful blog for me. thanks for sharing good information. get one of the best Cybersecurity for MSPS then visit on our website
ReplyDelete