Recognise the

need for cyber

security in an
Organisation

VU23217
Session-04 VU23217 1
Session Content
Policies, tools and
systems for Cyber security Security
NIST CSF
protecting an standards & bodies frameworks
organisation

Essential Eight
SANS OWASP CIS
strategies ACSC

Behaviour based
Incident response
approaches to Cyber Kill Chain
frameworks
cyber security

VU23217 2
 A cybersecurity framework provides a common
language and set of standards for security leaders across
countries and industries to understand their security
postures and those of their vendors. With a framework
in place, it becomes much easier to define the processes
cybersecurity and procedures that your organization must take to
assess, monitor, and mitigate cybersecurity risk.

framework
The primary goal of every security
framework is to diminish the
number of threats that can
negatively affect an organization
and its stakeholders.

VU23217 3
 NIST Cybersecurity Framework
The NIST Cybersecurity Framework was established in response to an executive order by former President Obama —
Improving Critical Infrastructure Cybersecurity — which called for greater collaboration between the public and private
sector for identifying, assessing, and managing cyber risk.

ISO 27001 and ISO 27002 (International Organization for Standardization)

Created by the International Organization for Standardization (ISO), ISO 27001 and ISO 27002 certifications are
considered the international standard for validating a cybersecurity program — internally and across third parties.

SOC2
Service Organization Control (SOC) Type 2 is a trust-based cybersecurity framework and auditing standard developed by

Common
the American Institute of Certified Public Accountants (AICPA) to help verify that vendors and partners are securely
managing client data.

NERC-CIP
cybersecurity Introduced to mitigate the rise in attacks on U.S. critical infrastructure and growing third-party risk, the North American
Electric Reliability Corporation - Critical Infrastructure Protection (NERC CIP) is a set of cybersecurity standards designed

frameworks to help those in the utility and power sector reduce cyber risk and ensure the reliability of bulk electric systems.

HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a cybersecurity framework that requires healthcare
organizations to implement controls for securing and protecting the privacy of electronic health information.

GDPR
The General Data Protection Regulation (GDPR) was adopted in 2016 to strengthen data protection procedures and
practices for citizens of the European Union (EU). The GDPR impacts all organizations that are established in the EU or
any business that collects and stores the private data of EU citizens — including U.S. businesses.

FISMA
The Federal Information Security Management Act (FISMA) is a comprehensive cybersecurity framework that protects
federal government information and systems against cyber threats.
VU23217 4
People –Process -Technology

VU23217 5
Cyber Security Framework

VU23217 6
 • NIST stands for National Institute of Standards and Technology.
• More than ever, organizations must balance a rapidly evolving cyber

NIST threat landscape against the need to fulfill business requirements.

• To help these organizations manage their cybersecurity risk, NIST
convened stakeholders to develop a Cybersecurity Framework that
addresses threats and supports business.

VU23217 7
NIST Cyber
Security
Framework

VU23217 8
 Incident • Incident response is a plan for responding to a
cybersecurity incident methodically. If an incident is
Response nefarious, steps are taken to quickly contain, minimize, and
learn from the damage.
Framework

VU23217 9
Industry Standard Incident
Response Frameworks

NIST
• NIST -National Institute of Standards and
Technology.

SANS
• SANS -SysAdmin, Audit, Network, and Security.

VU23217 10
NIST Incident Response Framework

VU23217 11
 SANS stands for SysAdmin, Audit, Network, and Security.

SANS They’re a private organization that, per their self

description, is “a cooperative research and education
organization”. Though more youthful than NIST, their sole
focus is security, and they’ve become an industry
standard framework for incident response.
The SANS Incident Response Process consists of six
steps:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

VU23217 12
SANS Incident Response Framework

VU23217 13
NIST Vs SANS Incident Response

VU23217 14
OWASP –Open Web Application Security Project

VU23217 15
OWASP Top Ten

VU23217 16
OWASP-Top 10

VU23217 17
VU23217 18
VU23217

The Essential Eight is a baseline set of mitigation strategies

that have been developed by the Australian Cyber Security
Centre (ACSC). These mitigation strategies have been
developed by the ACSC to help organisations protect
themselves against various cyber threats regardless of their
industry.
Essential Eight
strategies • 1. Application Control
• 2. Application Patching
ACSC • 3. Configure Microsoft Office Macro Settings
• 4. User Application Hardening
• 5. Restrict Administrative Privileges
• 6. Patch Operating Systems
• 7. Multi-factor authentication
• 8. Daily Backups

19
VU23217 20
VU23217 21
Center for Internet
Security (CIS)
• The Center for Internet Security is a nonprofit entity whose mission is to 'identify,
develop, validate, promote, and sustain best practice solutions for cyberdefense.' It
draws on the expertise of cybersecurity and IT professionals from government,
business, and academia from around the world. To develop standards and best
practices, including CIS benchmarks, controls, and hardened images, they follow a
consensus decision-making model.

VU23217 22
Center for Internet Security (CIS)

VU23217 23
CIS Controls

VU23217 24
 Behavior-based security is a proactive approach to security in
Behavior-based which all relevant activity is monitored so that deviations from
normal behavior patterns can be identified and dealt with
quickly. As machine learning continues to improve, this approach
to security management is expected to play an important role in
securing computing at the edge of the network.

Traditional security software is signature-oriented: the software

security

monitors data streams and compares data in transit to signatures

in an anti-virus vendor's library of known threats. Behavior-based
security programs work a little differently -- they monitor data
streams too, but then they compare data stream activity to a
baseline of normal behavior and look for anomalies. Behavior-
based security products use applied mathematics and machine
learning to flag events that are statistically significant.

VU23217 25
Behavior Based
Intrusion Detection
• Behavior-based IDS offerings,
also known as anomaly-based
threat detection, use AI and
machine learning as well as
other statistical methods to
analyze data on a network to
detect malicious behavior
patterns as well as specific
behaviors that may be linked to
an attack.

VU23217 26
 Behavior
based
Output -IDS

VU23217 27
 Anti-virus programs also use heuristic analysis to detect ‘unknown’ viruses by looking for suspicious
properties.
Two heuristic methods are static analysis and dynamic analysis.
• Static analysis – a suspect programs source code is examined and compared with an existing
database if a certain percentage of the code matches, then it is flagged as an issue. Code
Heuristic similarities like this may show a file to be a family variant of a known virus. Static analysis also
includes inspecting a file to determine its purpose and destination which might provide evidence

Analysis of malicious intent.

• Dynamic analysis – Suspect programs can execute in a virtual environment. As the program
executes suspicious behaviour is looked for such as self-replication and overwriting files.
• All major anti-virus software provides signature based as well as heuristic analysis. A downside to
heuristic analysis is that it may throw up false positives. A file may be flagged as being malicious
VU23217
when in fact it is benign. Heuristic analysis may also throw up false negatives and thus not let 28
viruses through.
Cyber Kill
Chain

VU23217 29
The US Military KILL Chain

VU23217 30
Cyber Kill Chain
Framework
Paper
Published in
2013

VU23217 31
Cyber Kill Chain
– 7 Stages

VU23217 32
Cyber Kill
Chain

VU23217 33
Cyber Kill Chain

VU23217 34
Kill chain
stages

VU23217 35
Stage 1 :
Reconnaissance

VU23217 36
Stage 2 :
Weaponization

VU23217 37
Stage 3 :
Delivery

VU23217 38
Stage 4 :
Exploitation

VU23217 39
Stage 5 :
Installation

VU23217 40
Stage 6 :
Command
and Control

VU23217 41
Stage 7 :
Actions

VU23217 42
Cyber Kill
Chain

VU23217 43
VU23217 44