Exam summary Security in Organisations

Lecture 1& 2 : Information Security

 Information Security = the preservation of confidentiality, integrity and availability of
information
 Who is responsible for information security? The board of directors/CEO -> security is
investment
 Confidentiality = property that information is not made available or disclosed to unauthorized
individuals, entities, or processes
 Integrity = property of accuracy and completeness
 Availability = property of being accessible and usable upon demand by an authorized entity
 Network and Information Security Directive = regulates which companies must meet
mandatory security requirements and mandatory reporting of security incidents; requirements:
o Risk-based approach: provider has a current overview of the network and information
systems that support its essential service and analyses their risks
o Organization of network and information security management: provider has and
actively applies an information security policy and strategy
o Incident prevention: provider has a layered security strategy based on the risks
o Detection and response: provider can detect, analyse and record incidents and limit
their consequences
o Limit consequences of incidents: provider shall establish a business continuity policy
and crisis management policy
 Cyber Resilience Act (CRA) = proposed EU regulation with the following objectives:
o Ensure that manufacturers improve the security of products with digital elements
o Ensure a coherent cybersecurity framework, for hardware and software
o Enhance the transparency of security properties of products with digital elements
o Enable businesses and consumers to use products with digital elements securely
 Ransomware attack on Maastricht University:
o October 2019: user opens Excel file with macro that is executed and the (VDI)
workstation gives a foothold for the attacker who gains local admin access
o A month later, ransomware damages over 267 servers including backups
o Lack of network segmentation
o In December, the University pays to get the decryption key
o Root cause #1: inadequate insight in the (number) of active computer- and server
systems in the network
o Root cause #2: inadequate security patching
 The security officer is not end-responsible for security
 Security is closely related to risk perception and risk appetite
 Security incident = an event where confidentiality, integrity or availability of information
was lost; either caused by deliberately malicious human behaviour or unintentional acts
 ISO 27001 = security management process description to select & implement controls based
on risk assessments
 ISO 27002 = contains a comprehensive list of security controls
 Limitative lists = implementing a long list of security controls
 Risk assessment = screen processes and use segregation of duties (four-eyes principle) to
evaluate risks and the necessary precautions
  Combined approach = apply ‘evident controls’ without much risk-assessment (→ baselines)
and implement specific, additional (costly) controls based on a risk assessment for ‘critical’
systems
 Security Officer’s ISMS responsibilities (PDCA cycle):
o Plan: define ISMS (scope, policy, risks…), select controls
o Do: implement management processes and controls
o Check: internal review of management processes and controls
o Act: review incidents, adjust ISMS
 ISMS implementation:
o Step 1: Develop the ISMS
o Step 2: Get an information security organization in place
o Step 3: Identify information systems and allocate responsibilities
o Step 4: Implement the ‘combined approach’ for risk assessment
o Step 4a: Develop security baselines
o Step 4b: Perform risk assessments + treatments (RATs) on systems
o Step 5: Implement the security baselines and controls from RATs
o Step 6a: Perform effectiveness measurements
o Step 6b: Perform an internal audit
o Step 7: Have a management review
 Objective of information security = get the management of the organisation in control of
risks related to the loss of confidentiality, integrity and availability of information
 ‘Information Security Management System’ (ISMS) = a process to select and maintain
security controls (from ISO 27002) based on risk assessments

Lecture 3: Automated vulnerability testing

 Standard applications: open source, used by many organisations, actively researched for
security vulnerabilities (CVE = Common Vulnerability Enumeration), key security measure:
apply patches and configure securely
 Custom applications: used only in the own organisation, therefore not actively researched by
the security community, patches have to be written, important target for security testing
 OWASP Top-10:
o Broken access control
o Cryptographic failures
o Injection
o Insecure design
o Security misconfiguration
o Vulnerable and outdated components
o Identification and authentication failures
o Software and data integrity failures
o Security logging and monitoring failures
o Server side request forgery (SSRF)
 False Positive (FP) = test says something is the case, that in reality is not the case
 False Negative (FN) = test fails to report something that is there in reality
 FP and FN rates are a trade-off; raising the “confidence threshold” reduces FP rate at the
expense of increasing the FN rate
 Most day-to-day applications should rather avoid false positives as people tend to not take
care of security bugs if they have to manually filter whether the hundreds of warnings are
relevant or not
  Ideal appsec testing tool: universal applicability, universal issue scope, infinite speed, reliable
(no FN/FP), universal and simple integration, easy to use, detailed and actionable feedback

SAST = Static Application Security Testing

 SAST tool provides vulnerability information for source code; automatic code review
 SAST tool must understand the language and framework
 Evaluates expressions on the syntax tree to find bad patterns; simple, fast algorithm; works
well for things like hardcoded password and keys, weak encryption settings, insecure
randomness, API abuse
 Buffer analysis = tries to evaluate the allocated size of the buffer and the actually used size of
the buffer
 Taint analysis = tracking taint, which is the property that a piece of data may contain an
attack payload; any piece of user input should be considered tainted
 Control flow analysis = check secure state of program
 Regular expression machine = finds e.g. hardcoded access tokens
 Higher-order analysis = required for data-flow and control-flow analysis on languages which
allow assigning functions to variables
 SAST is integrated in the CI/CD process

SCA = Software Composition Analysis

 Open source/bill of material review
 Two steps: Determine the list of libraries/dependencies present in a piece of software (the so-
called “Bill-of-Materials”), and check these against a database of known vulnerabilities
 Advanced implementations:
o Obtain the BOM by calculating hashes of all the files in a piece of software
o Test against a dedicated open source dependency database
o Check for security, architecture, license; allows configurable policies
 If your SCA tool detects that your application is using a library with a known critical
vulnerability, the reaction depends
o Application uses the vulnerable part of the library and this usage is controllable by
attackers ➔ Probably a critical problem in your app
o Application uses the vulnerable part of the library, but not in a way that is controllable
by attackers ➔ May be an issue, further research makes sense
o Application is not using that part of the library ➔Housekeeping issue
 Susceptibility analysis = effective usage analysis; requires a combination of SAST features
(data-flow or structural analysis) and SCA features

DAST = Dynamic Application Security Testing

 Automatic pentest; running application in a controlled (staging) environment
 Three stages: configuring, crawling (attacking; needs knowledge of normal requests), auditing
(detection of success/failure)
 DAST takes place relatively late: in a staging or even production environment; manually
triggered; with limited scope

Lecture 4: IS risk assessment

 Risk assessment and treatment (RAT) process = identify serious potential security incidents
before they actually (can) occur
  Impact = potential consequences
 Risk = Impact x Likelihood; potential incident
 Risk assessment approach = there should be a documented methodology, and risk appetite
should be defined
 How to identify risks:
o 1) Identify the assets and their owners
o 2) Identify the threats to those assets
o 3) Identify the vulnerabilities that might be exploited by the threats
o 4) Identify the impacts that CIA losses may have on the assets
 Threats are ‘who’ or ‘what’, vulnerabilities are ‘how’
 Threats can be of ‘natural’, ‘unintentional human’ or ‘intentional human’ origin
 How to analyse and evaluate risks:
o 1) Assess the business impacts that might result from security failures,
o 2) Assess the realistic likelihood of security failures
o 3) Estimate the levels of risks
o 4) Find, prioritize risks and determine which need treatment
 Risk treatment options = applying controls, accepting risks, avoiding risks, transferring risks
to other parties
 RAT process:
o Context establishment: determine legal requirements, scope, boundaries, inventory,
assets
o Risk assessment: identify scenarios, threats, vulnerabilities, existing controls
o Risk estimation/evaluation: prioritise risks, determine “real” risks
o Risk treatment: accept, avoid, transfer, treat risk with controls
o Risk acceptance: residual risks must be accepted by management
o Documentation/communication
o Risk monitoring: document and periodically reassess risk process
 IS policy = a means of communicating Information Security requirements to the organization
by senior management
 Policy requirements from ISO 27001:
o a) appropriate to the purpose of the organization;
o b) includes/provides framework for information security objectives;
o c) includes a commitment to satisfy applicable requirements;
o d) includes a commitment to continual improvement of the information security
management system;
o e) is available as documented information;
o f) is communicated within the organization;
o g) be available to interested parties, as appropriate
 Policy requirements from ISO 27002:
o Control: policies should be defined, approved by management, published and
communicated to employees and relevant external parties
o Guidance: policy sets out the organization’s approach to managing its information
security objectives

Lecture 6: pen testing

 Security testing needs to consider: goal, scope, budget
  Threat model = who attacks you how?

Lecture 7: Security by design

 Principles:
o Help the user: don’t hinder
o Be realistic: keep the weakest link in mind
o Be conservative: prepare for failure
o Embrace the ignorance: users know nothing
o Apply security throughout the design cycle: pervasive security
 ROT13 = rotates letters 13 places
 Problem with symmetric and asymmetric crypto is key management

Lecture 8: Security in Industrial Control Systems

 Industrial Automation & Control Systems =collection of personnel, hardware, and software
that can affect or influence the safe, secure, and reliable operation of an industrial process
 Safety Systems = Independent systems that provide a safeguard to prevent damage / injuries
to the equipment, environment and personnel
 Programmable Logic Controllers (PLC) = connected to the physical world through inputs
(sensors) and outputs (actuators)
 Supervisory Control and Data Acquisition (SCADA) / Distributed Control System (DCS)
= gather data from PLC’s or RTU’s in the field and provides a ‘dashboard’ to human
controllers to control the ICS; SCADA for geographically widespread control systems, DCS
for plant control processes
 Remote Terminal Units (RTU) = often a PLC with communication possibilities and data
buffering
 Human Machine Interface (HMI) = provides a visual representation of the control system
for a human controller
 Historian = stores data for analysis
 Manufacturing Execution System (MES) = sits between the SCADA/DCS system and
higher level business systems and contains metadata about the control system
 Safety Instrumented System (SIS) = composed of a separate and independent combination
of sensors, logic solvers, final elements, and support systems that are designed and managed
to achieve a specified safety integrity level (SIL); may implement one or more safety
instrumented functions (SIFs), which are designed and implemented to address a specific
process hazard or hazardous event
 Stuxnet (2009) = first cyberweapon; attacked the enrichment centrifuges at the Iranian nuclear
facility in Natanz; spread to other systems
 Availability is in ICS key; confidentiality is in most cases less important, although ICS can
contain intellectual property
 ICS security challenges:
o ICS were never designed to be connected to untrusted networks
o ICS have a very long lifecycle (30 years) and replacement is costly
o The ICS lifecycle is not in sync with general purpose OS/software
o Risky security assessments
o ICS are often managed by third parties
o Patches can only be applied during maintenance windows of an installation
o Proper password management on sites is difficult, as systems are always logged on
o Security awareness / urgency is low: ‘If it ain’t broke, don’t fix it’
 Measures to mitigate risks:
 o Clearly define who is responsible / accountable for ICS security
o Bring IT and OT together
o Perform risk assessments
o Proper vendor management
o Proper network segmentation
o Protocol monitoring
o Awareness

Lecture 9: Information security management

 Senior executive level
o Focus: organisational risk
o Actions: express mission priorities, approve implementation tier selection, direct risk
decisions
o Gives mission priority, risk appetite, budget to business/process level
 Business/process level
o Focus: critical infrastructure risk management
o Actions: nominate implementation tiers, develop profiles, allocate budgets
o Gives changes in current and future risks to senior executive level
o Gives framework profiles to implementation/operations level
 Implementation/operations level
o Focus: securing critical infrastructure
o Actions: implements profile
o Gives implementation progress, changes in assets, vulnerability and threat to
business/process level
 3 lines of defence:
o 1st line: management controls and internal control measures
 Setting the risk appetite, assessing and managing issues and risks, prioritising
based on threat, security reporting
nd
o 2 line: financial controller, security, risk management, quality, inspection,
compliance
 Defining risk taxonomy and risk appetite, risk reporting
o 3rd line: internal audit
 Defence and attack models:
o Intrusion kill chain: reconnaissance, weaponisation, delivery, exploitation, installation,
command and control, actions on objectives
o Preventive/reactive measures: detect, deny, disrupt, degrade, deceive, destroy
 NIST cyber security framework: identify, protect, detect, respond, recover

Lecture 10: Security in the energy sector

 ISO 27002 information security controls:
o Organisational controls (37 controls): Policies, information security roles and
responsibilities, access control, security incident management, monitoring, logging,
backup, and restore, classification of data, supplier management
o People controls (8 controls): Screening, awareness, confidentiality or non-disclosure
agreements, remote working
o Physical controls (14 controls): Access control, securing offices, rooms, and facilities,
equipment siting and protection, equipment maintenance, secure disposal or reuse of
equipment
 o Technological controls (34 controls): Mobile devices, privileged access rights/
information access restriction, use of cryptography, logging/monitoring/data leakage
prevention, management of technical vulnerabilities, protection against malware
 Cyber Resilience Centre (CRC) = task is to design and implement the right scenarios,
security use cases and associated logging based on business risks
 CRC activities:
o Security monitoring: monitor IT, OT, and cloud landscape based on identified risks
and security use cases
o Incident response: Responding to security incidents, minimise the impact
o Vulnerability management: Detecting and addressing known vulnerabilities
o Threat analysis: Analysing technical and geopolitical threats and determining the
(possible) risks for the organisation
o Central pentest coordination: Determine the (overall) risk for the organisation on the
basis of the findings of the tests
o Automation: Isolate incidents fast, automate the analysis and responsive work
o Picket duty 24x7
o Forensics: Basic forensic investigations, others are outsourced
o Consultancy: Questions from employees, looking at design issues, and helping with
risk analyses

Lecture 11: Role of the Security Operations Centre (SOC)

 Ransomware first tactics: Enter the network, encrypt data, ask for ransom
 Countermeasure: backups
 Therefore, change of tactics: Exfil Data, encrypt, threaten to make documents public
 Invention of Bitcoin: Mostly Anonymous, payment address per victim, no regulations
 Entry points: phishing, misconfigured Internet-facing services, vulnerable Internet-facing
services, supply chain attack
 Attack phases:
o Initial access
o Credential theft
o Lateral movement
o Persistence
o Payload
 Recovery options:
o Rebuild systems
o Restore backups
 Backups might contain traces of the attack
o Obtain decryptor
 Ask for potential data theft and attack path
 MITRE = A SOC is a team primarily composed of security analysts organized to detect,
analyse, respond to, report on, prevent cybersecurity incidents
 Security Information and Event Management (SIEM) = data aggregation, data retention,
correlation, alerting, analysis
 In-House SOC = own environment, immediate actions, depends on budget, capabilities
 Managed SOC = external party, not enough resources for In-House SOC (costs, knowledge),
communication is key
 SOC process:
o Threat framework adapted to customer need
o Business case: risk assessment
 o Sources: information that is available
o Implementation: transcribe logs, certain events should trigger alarms
o Testing: correctness and effectiveness
o Operation: analyst actions, follow-up steps, maintenance
 Signature-based detection = predefined patterns/rules, alarm when match is found
o Pro: Reason for alarm clear
o Con: New attack patterns not detected
 Anomaly-based detection = uses baseline; deviation triggers alarm
o Pro: New attack patterns may still be detected
o Cons: Needs a lot of information, less clear why alarm was triggered; sometimes
requires deeper analysis
 Host Intrusion Detection System = installed on single hosts, monitors log files or OS Events,
can provide input for SIEM
 Network Intrusion Detection System = packet inspection, mostly signature-based

Lecture 12: IT risk & IT security in practice

 Negative security: high risk and low velocity
o Imaginary controls, unnecessary engineering work, bad implementation
 Reckless security: high risk and high velocity
o Lack of security controls
 Safe and slow security: low risk and low velocity
o Manual reviews, frequent security gates, centralised risk ownership
 Empowered security: low risk and high velocity
o Security via guardrails, teams have clear guidance, defined risk tolerance, reusable
paradigms, distributed risk ownership
 Common attack vectors:
o Software vulnerabilities
o Compromised credentials
o Weak passwords
o Malicious employees
o Poor encryption
o Ransomware
o Phishing
o Misconfigured devices
o Trust relationships
o DDoS attacks

Lecture 13: Security audits

 Audit = process in which an competent, impartial judgment (‘opinion’) is formed on one or
more aspects (‘criteria’) of an object
 Positive assurance = an affirmative statement or opinion given by the auditor, generally based
on a high level of work performed (‘Our opinion is that the organization is compliant with ...’)
 Negative assurance = a statement indicating that nothing came to the auditor's attention
indicating that the subject matter in question did not meet a specified criteria (‘We have seen
no indications that the organization is not compliant with ...’)
 Audit criteria = can be an open standard, a tailored version of it, or even some assertions
made by the client management; in the latter case, the opinion can be a statement of the
auditor that these assertions are correct
 Audit scheme = rules describing how the audits shall be conducted and what requirements
should be met by the auditor organization itself
 Adversarial principle = providing auditees the opportunity to respond to findings
 IT audit aspects:
o Availability: Property of being accessible and usable upon demand by an authorized
entity
o Reliability: Relates to systems providing management with appropriate information
for it to use in operating the entity, in providing financial reporting to users of the
financial information, and in providing information to report to regulatory bodies with
regard to compliance with laws and regulations
o Effectiveness: Deals with information being relevant and pertinent to the business
process as well as being delivered in a timely, correct, consistent and usable manner
o Compliance: Deals with complying those laws, regulations and contractual
arrangements to which the business process is subject; i.e., externally imposed
business criteria
o Efficiency: Concerns the provision of information through the optimal (most
productive and economical) usage of resources
 Technically oriented audits = the objects are IT systems, e.g., a whole IT infrastructure, a
network, a Windows environment, a specific application
 Process oriented audits = the objects are IT processes, e.g., a security management process, a
change management process
 Information security objectives/controls = formulate audit criteria
 3 audit assurance levels:
o Design: The auditor has reviewed the relevant design based on documentation and
interviews but not on actual inspections
o Existence: The auditor has additionally performed inspections of system settings,
paper archives and other things providing him with assurance that the design was at
least implemented during the audit
o Operational Effectiveness (OE): The auditor has additionally looked for evidence
that the implemented controls were effective over a certain period of time
 You can only have Design, Design + Existence or Design + Existence + OE
 The opinion minimally states:
o For who the audit was conducted (client) by whom (auditor/auditor organization)
o The objective of the audit
o The object and its boundaries
o The period in which the audit was performed
o The followed procedures
o The audit criteria used and the related audit scheme
o The assurance level of the audit
o The opinion itself and any reservations or limitations regarding the opinion
 Management system = a framework of policies, procedures guidelines and associated
resources to achieve the objectives of the organization
 Certification of a management system = one means of providing assurance that the
organization has implemented a system for the management of the relevant aspects of its
activities, in line with its policy; gives negative assurance
 Certification Bodies = management system auditors; they need to implement a (quality)
management system too
 Accreditation = inspection of Certification Bodies by national Accreditation Councils
 Audit plan = describes the timing of the audit, including opening and closing meeting, the
topics of the audit (preferably in reference with the criteria), the staff (internal/external) that
 needs to be interviewed (when/where), any visits or inspections (in implementation and
surveillance audits)
 Documentation audit (stage I) = the auditor reviews the documentation and has interviews to
check consistence with the audit criteria
 Implementation audit (stage II) = the auditor checks the existence of controls in consistence
with the documentation
 Certification decision = certification manager decides upon certification based on the stage I
and stage II reports delivered by the audit team/lead auditor
 Corrective Action Plan (CAP) = documented by client for each Non-Conformity
 Surveillance audit = a combination of a documentation and implementation audit; these
periodic assessments serve to make sure all requirements are assessed at least once during the
certificates’ period of validity

Lecture 14: (Ab)using electronic identity documents

 DigiD knows both who you are and where you logon to (‘privacy hotspot’)
 Wetransfer has no end-to-end security
 Public key cryptography = public key for encryption, private key for decryption
 Public key certificate = the public key is associated with the owner’s identity and signed by a
TTP
 Identity document (passport) = a contactless USB flash drive with files holding personal
data
 Security challenges:
o Ensure that user can control when and by who his (personal) data can be read
o Ensure that the party reading the data can ensure its is ‘authentic’
o Ensure that the party reading the data can be sure the passport is not cloned
o Ensure that only ‘authorized parties’ can read the fingerprint data
 Homomorphic encryption = authenticate user anonymously while providing identity to
service provider
 Remote Document Encryption (RDE) = allows any party to encrypt data for the holder of an
electronic passport such that decryption is only possible with physical possession of the
document and takes place inside the document, typically by the holder