CYBER SECURITY

Lecture # 05
Instructor: Mr. Sharjeel Ahmed
Slide Elements
• Developing Security Policy
• Deploy and manage Security settings
• Security Through Design
DEVELOPING
SECURITY POLICY
Developing Security Policy
• Developing a security policy is crucial for any organization to establish
guidelines, procedures, and best practices that ensure the protection of its
information assets, systems, and networks.
• It provides a clear framework for security measures and ensures that
everyone in the organization understands their role in maintaining a secure
environment.

Here is a structured approach to developing a comprehensive security policy:

1. Define the Scope: Begin by defining the scope of your security policy. What
assets and information are you seeking to protect? Identify the critical
systems and data that require safeguarding.

2. Identify Risks and Threats: Conduct a thorough risk assessment to identify

potential security threats, vulnerabilities, and the potential impact of security
breaches. This step helps prioritize policy development efforts.
Developing Security Policy (Cont. )
3. Legal and Regulatory Requirements: Ensure that your security policy
aligns with applicable laws and regulations specific to your industry. This may
include data protection regulations, compliance standards, and privacy laws.

4. Set Objectives and Goals: Clearly define the objectives and goals of your
security policy. What do you want to achieve with this policy? What are the
desired security outcomes?

5. Involve Stakeholders: Engage key stakeholders, including senior

management, IT personnel, legal experts, and compliance officers, in the
policy development process. Their input and support are crucial.

6. Policy Framework: Create a structured policy framework that includes

various policies, such as an Information Security Policy, Data Protection
Policy, Acceptable Use Policy, and others as needed.
Developing Security Policy (Cont. )
7. Draft the Security Policy: Begin writing the policy itself. It should include
clear and concise language, outlining roles, responsibilities, and specific
security measures.

8. Policy Components: Address key components within each policy, including:

7. Access controls and authentication mechanisms
• Data classification and handling
• Incident response procedures
• Acceptable use guidelines
• Security training and awareness programs
• Encryption and data protection measures
• Password management and security
• Business continuity and disaster recovery plans
• Mobile device security
• Network security
Developing Security Policy (Cont. )
9. Review and Revision: Regularly review and update the security policy to
ensure that it remains current and effective. Security threats and regulations
change over time, and the policy should evolve accordingly.

10. Approval and Adoption: Seek approval from senior management and other
relevant stakeholders. Once approved, disseminate the policy to all
employees and ensure they understand its contents.

11. Training and Awareness: Conduct security awareness and training

programs to educate employees on the policy's requirements and the
importance of security.

12. Monitoring and Enforcement: Establish mechanisms for monitoring policy

compliance and enforce the policy through appropriate disciplinary actions
for violations.
Developing Security Policy (Cont. )
13. Incident Response Plan: Develop an incident response plan as part of the
policy. Outline the steps to be taken in the event of a security incident,
including communication and reporting procedures.

14. Testing and Drills: Conduct regular security testing, such as penetration
testing and vulnerability assessments, and simulate security incidents to
ensure the effectiveness of the policy and response procedures.

15. Continuous Improvement: Regularly assess the policy's effectiveness,

seek feedback, and make necessary improvements to enhance security.
DEPLOY AND MANAGE
SECURITY SETTINGS
Deploy and manage Security settings
• Deploying and managing security settings is a crucial aspect of ensuring
the protection of an organization's information assets, systems, and networks.

• This involves configuring and maintaining various security measures to

mitigate risks and respond to emerging threats.

• Deploying and managing security settings is an ongoing process that requires

a proactive and vigilant approach.

• Regularly review and adapt your security measures to address new threats
and vulnerabilities as they emerge.

• Collaboration between IT, security teams, and employees is essential for

maintaining a strong security posture.
Deploy and manage Security settings (Cont. )
Here's a structured approach to deploying and managing security settings:

1. Define Security Requirements: Begin by identifying your organization's

specific security requirements. These will depend on factors such as the
nature of your business, industry regulations, and the sensitivity of the data
you handle.

2. Conduct a Risk Assessment: Assess the potential risks and threats to your
organization's assets and data. Understand the vulnerabilities and potential
impact of security breaches.

3. Choose Appropriate Security Solutions: Select security tools and

solutions that align with your organization's needs. This may include
firewalls, antivirus software, intrusion detection systems, encryption tools,
and identity and access management solutions.
Deploy and manage Security settings (Cont. )
4. Create a Security Policy: Develop a comprehensive security policy that
outlines the security objectives, measures, and procedures that need to be
followed.

5. Access Control: Implement access controls to ensure that only authorized

individuals have access to systems and data. This includes user
authentication, password policies, and role-based access.

6. Encryption: Implement encryption mechanisms to protect sensitive data in

transit and at rest. This may include using SSL/TLS for web traffic and
encryption for stored data.

7. Patch Management: Develop a process for regular patch management to

keep all software, operating systems, and applications up to date to address
known vulnerabilities.
Deploy and manage Security settings (Cont. )
8. Security Awareness and Training: Conduct security awareness training for
employees to educate them about security best practices and raise
awareness about security threats.

9. Incident Response Plan: Create an incident response plan that outlines the
steps to be taken in the event of a security breach or incident. Ensure that
employees are familiar with the plan and know how to report incidents.

10. Monitoring and Auditing: Set up monitoring and auditing tools to detect
and respond to suspicious activities in real-time. Regularly review logs and
audit trails to identify security issues.

11. Data Backups and Recovery: Implement a robust data backup and
recovery strategy to ensure that critical data can be restored in the event of
data loss or ransomware attacks.
Deploy and manage Security settings (Cont. )
12. Vendor Security: Ensure that third-party vendors and partners follow adequate
security practices. This includes due diligence in selecting vendors and periodic
security assessments.

13. Regular Testing: Conduct regular security testing, such as vulnerability

assessments and penetration testing, to identify and remediate weaknesses in
your security posture.

14. Compliance and Regulations: Ensure that your security settings and practices
align with relevant industry regulations and compliance standards, such as
GDPR, HIPAA, or PCI DSS.

15. Continuous Improvement: Regularly review and update security settings and
measures to adapt to evolving threats and emerging technologies.

16. Response and Recovery: In the event of a security incident, follow your incident
response plan to mitigate damage, identify the source of the attack, and take
corrective actions.
SECURITY THROUGH DESIGN
Security Through Design
• Security Through Design, often referred to as "Security by Design"
or "Security by Design and by Default," is a concept in cyber-security
and software development that emphasizes integrating security
measures and considerations into the design and development of
systems, applications, and products from the outset.

• This proactive approach aims to reduce vulnerabilities and the need

for reactive security patches and fixes after deployment.

• Security through design is not a one-time effort; it is an ongoing process that

requires a proactive and integrated approach to security.

• By incorporating security measures from the beginning of a project,

organizations can reduce the likelihood of vulnerabilities and security
incidents, enhancing the overall resilience and trustworthiness of their systems
and products.
Security Through Design (Cont. )
Here's how to implement security through design:

1. Identify Security Requirements: Begin by identifying the security

requirements specific to your project. Understand the assets to be protected,
potential threats, and applicable regulations or compliance standards.

2. Threat Modeling: Conduct threat modeling to systematically analyze and

anticipate potential security threats and vulnerabilities that your system might
face. This helps in prioritizing security measures.

3. Security Architecture: Design a robust security architecture that integrates

security controls and mechanisms at every layer of the system, from the
hardware and network infrastructure to the application and data layers.

4. Access Control: Implement strong access control mechanisms, ensuring

that only authorized users and processes can access sensitive resources.
Security Through Design (Cont. )
5. Data Encryption: Encrypt sensitive data both in transit and at rest. Utilize
industry-standard encryption protocols and algorithms.

6. Authentication and Authorization: Implement strong authentication and

authorization mechanisms to verify users' identities and control their access.

7. Input Validation: Implement input validation to prevent common

vulnerabilities like SQL injection, cross-site scripting (XSS), and command
injection.

8. Secure Coding Practices: Enforce secure coding practices throughout the

development process. Train developers to identify and address security
issues in their code.
Security Through Design (Cont. )
9. Security Testing: Conduct regular security testing, including vulnerability
assessments, penetration testing, and code reviews, to identify and
remediate vulnerabilities.

10. Incident Response Plan: - Develop an incident response plan to guide the
organization's response to security incidents. Ensure that all stakeholders
understand their roles and responsibilities.

11. Documentation: - Document security design decisions, configurations, and

practices. This documentation is vital for auditing, compliance, and incident
response.

12. Employee Training and Awareness: - Educate employees about security

best practices, including the importance of security in design, to create a
security-conscious culture within the organization.
Security Through Design (Cont. )
13. Vendor Assessment: - Evaluate third-party vendors and suppliers for their
security practices. Ensure they adhere to security standards and protocols.

14. Regular Updates: - Continuously monitor and update the security measures
as new threats and vulnerabilities emerge. Keep all software and systems up
to date with security patches.

15. Compliance and Regulation: - Ensure that the design aligns with relevant
industry regulations and compliance standards.

16. Security Culture: - Foster a culture of security awareness and

accountability within the organization, with leadership support and employee
involvement.
Security Through Design - Principles
1. Reduce the attack surface

• Many companies have a ‘flat’ IT network, with everything connected –

a logical approach as it makes the system less complicated for users.
However, this also makes it a more vulnerable system to break into for
a cyber attacker, much like the old, single garage lock.
• A Security by Design approach installs blocks to reduce the attack
surface, meaning that any attacker breaching one section, won’t be
able to access everything – making recovery an easier task.
• Keeping different applications on separate network systems also helps
keep sections secure, for example, CCTV, door control systems and
even separate internet zones.
Security Through Design - Principles
2. Reduce the risk of user breach

• The weakest link in most businesses is the user, who may download
software, reuse passwords or just receive viruses hidden in phishing
scam emails.
• Making sure that staff know how to use their internet facilities, how to
spot scams and how often passwords have to be updated and how
complex these should be is crucial.
• This is helped by implementing the principle of least privilege, which
means that a user has the minimum set of privileges to perform any
specific task, including administrative privileges, so only an
administrator can download tasks or empowers users for specific
tasks.
• Solid and regularly updated training for all staff is essential for solid
security.
Security Through Design - Principles
3. Defence in depth

• The defence in depth principle of Security by Design means having

multiple security measures that handle hazards in diverse ways to
safeguard an application.
• Rather than having only a single layer of validation, the defence in
depth principle requires many layers of validation and logging tools.
• For example, instead of allowing a user to get in with merely a
password and username, it would employ an IP check, Captcha
system, recording of their login attempts and so on.
Security Through Design - Principles
4. Failing securely

• This concept is understanding that things will fail, so considers what

will happen to the system when this happens and aims to put in place
a secure, digital locking mechanism that locks down parts of the
system. Similar to the concept of how a security badge might give you
access to sensitive areas of a building to execute your job, as with the
concept of least privilege, but what happens if the power goes out?
• If a ‘fails open’ system is in place then all of the locks stop working,
meaning all the doors are accessible allowing you to access other,
normally off-limits, parts of the building. The Fails Securely system
means that all the doors lock – and no snooping can take place. A
system intended to fail securely will only give access to components
of the system when each step of the procedure is successfully
completed.
Security Through Design - Principles
5. Avoid security by obscurity
• This concept of security cannot be fully relied upon. If the software or
programme demands that its administration URL is hidden to be
secure, then it is not at all secure. Cybercriminals can find it, even if
you think it’s hidden. Security controls should be in place to make your
application safe without obscuring key functionality or source code.

6. Keep security simple yet secure

• When implementing security measures for applications, it is advisable
to avoid complicated security controls as complex mechanisms can
increase the risk of errors. Should a security flaw be identified in an
application, then developers need to identify the root source of the
problem, repair it and then thoroughly test it. If the programme
employs design patterns, the problem is likely to be present in
numerous systems, so identifying all affected systems is essential.
Security Through Design - Principles
7. Threat modeling

• Threat modeling is another element of a Security by Design system.

• Threat modeling is a security engineering practice that is used to
document hidden security hazards that are not always evident or
predicted.
• The threat modeling technique seeks to identify potential attack
vectors and prioritize the risks to which software is vulnerable so that
development teams can focus their efforts on the most important
concerns.
• The benefits of using threat modeling are increased understanding of
the potential impact and priority of attacks as well as the capacity to
assess security decisions against design goals so that relevant
countermeasures are built into an application.