The Cyber Security Handbook
Acknowledgements
The development of this handbook involved the help of many people. The Ministry of Communications and Information Technology (MCIT) would like to express its gratitude to all those who answered questions about their needs and experiences in the cyber security domain in Samoa – this information helped us to establish the structure of this handbook. Thank you to members of the cross-Government ICT Technical Working Group (ICT-TWG) who reviewed early drafts of the handbook, particularly Mr Suetena Loia. Thank you to the Senior Management Team of the MCIT who guided the writer to make the handbook relevant and practical. We extend a special Pacific thank you to Mr Tony Willenberg for writing the handbook, Prof. Peter Blunt for his constructive comments and editing, and the Department for Foreign Affairs and Trade (DFAT, Government of Australia), through the Samoa Technical Assistance Facility (STAF), whose funding and continued technical support made this handbook possible.
3 The Cyber Security Handbook
Table of Contents
Copyright ...... 2 Acknowledgements ...... 3 Acronyms ...... 5 Introduction...... 7 Why this Handbook? ...... 7 Audience ...... 7 Structure ...... 8 Section I: Understanding the Cyber Security ‘Landscape’ ...... 9 What is Cyber Security? ...... 9 Why Do We Need It? ...... 10 What’s the Worst That Can Happen? ...... 11 Who Is the Enemy? ...... 13 Stages of an Attack...... 13 Types of Capabilities ...... 15 Types of Attack ...... 15 Not All Hackers Are Enemies ...... 16 Section II: Designing the Cyber Security Framework ...... 17 Assemble the Framework ...... 17 1. Know the Applicable Laws and Regulations ...... 17 2. Apply International Standards ...... 17 3. Take Account of National Frameworks (if any) ...... 18 4. Take Account of Sector Frameworks (if any) ...... 18 5. Identify Risks Relevant to the Organisation ...... 19 6. Determine the Scope ...... 19 7. Understand the Essential Design Principles ...... 21 8. Communicate the Policy...... 27 Section III: Implementing the Framework ...... 28 Implementing the Core Functions ...... 28 1. Identify...... 28 2. Protect ...... 29 3. Detect ...... 31 4. Respond ...... 32 5. Recover ...... 32 Annexes ...... 33 Annex A: The Three States of Digital Data ...... 34 Annex B: The Triad of Security Services ...... 36 Annex C: What is a Resource? ...... 37 Annex D: Definition of Terms ...... 38 Annex E: Threat Taxonomy ...... 42 Annex F: Tools and Toolsets ...... 47 Annex G: Sample Cyber Security Protocol ...... 48 Annex H: Microsoft Active Directory ...... 49 Annex I: Resources for IT DR/BC Planning ...... 50 Annex J: Examples of the CIS Controls, Measures, and Metrics ...... 51 References ...... 52
4 The Cyber Security Handbook
Acronyms
ACL Access Control Lists ALCOA Attributable, Legible, Contemporaneous, Original, Accurate APT Advanced Persistent Threats BCP Business Continuity Plan BeEF Browser Exploitation Framework CIA Confidentiality, Integrity, Availability CIRT Computer Incident Response Team CIS Centre for Internet Security CME CrackMapExec CNI Critical National Infrastructure CNIP Critical National Infrastructure Protection CPTED Crime Prevention Through Environment Design CSF Cyber Security Framework CWI Centrum Wiskunde and Informatica DDoS Distributed Denial of Service DFAT Department of Foreign Affairs and Trade DMZ De-Militarised Zone DR/BC Disaster Recovery / Business Continuity DRP Disaster Recovery Plan EMR Electro Magnetic Radiation ERP Enterprise Resource Planning EU European Union EUR Euro GCHQ Government Communications Headquarters GCSCC Global Cyber Security Capability Centre GoS Government of Samoa GPDR General Protection of Data Regulation HVAC Heating, Ventilation and Air Conditioning ICT Information and Communications Technology ICT-TWG Information and Communications Technology Technical Working Group IDS Intrusion Detection System IEC International Electrotechnical Commission IoT Internet of Things IPS Intrusion Prevention System IS Information Security ISKE Infosüsteemide Kolmeastmeline Etalonturbe Süsteem (Estonian) ISM Information Security Manual ISMS Information Security Management System ISO International Standards Organisation
5 The Cyber Security Handbook
ISP Internet Service Provider IT Information Technology ITU International Telecommunications Union LAN Local Area Network MCIT Ministry of Communications and Information Technology MitM Man-in-the-Middle NASA North American Space Administration NIST National Institute for Standards and Technology OSI Open Systems Interconnection PCI DSS Payment Card Industry Data Security Standard PCISSC Payment Card Industry Security Standards Council SCADA Supervisory Control And Data Acquisition SET Social Engineer Toolkit SIEM Security Information and Event Management STAF Samoa Technical Assistance Facility SSL Secure Sockets Layer US United States VLAN Virtual Local Area Network VPN Virtual Private Network
6 The Cyber Security Handbook
Introduction
Why this Handbook? The Communications Sector Plan (CSP) 2017/18 - 2021/22 sets out three goals for Samoa’s communications sector: 1. To provide for access to appropriate and affordable ICT for all; 2. To develop fundamental ICT development skills that can address local and regional needs; and 3. To utilise ICT as a means for enhancing the effectiveness, efficiency, inclusiveness, accountability and transparency of state governance. This handbook contributes to the CSP goals in the following ways: Goal 1: To provide for access to appropriate and affordable ICT for all. By increasing awareness of basic cyber security practices, this handbook, will improve the effectiveness and efficiency of computing for businesses and government departments, making it more affordable. For example, malware hijacks computing resources (computation, storage, throughput, bandwidth, and memory) surreptitiously and, to the unwitting user, it often just seems like more computing resources are needed to the get the job done. This handbook will help the user to recognise when their resources are being hijacked, but it will also help to protect them from the intrusion in the first place. The new submarine fibre-optic cable that has provided greater bandwidth to Samoan business and government departments is a double-edged sword because there is more bandwidth that can be hijacked, squandered, and misused by malicious actors. A clear and practical cyber security framework and the know-how to implement it in business and government can provide a first line of protection and help users to identify the most cost-effective steps to take to provide for acceptable levels of cyber security. Goal 2: To develop fundamental ICT development skills that can address local and regional needs. This handbook sets out good and best practices, international standards, and practical cyber security tools that will enable users – in Samoa and in the region - to detect vulnerabilities in the Samoan cyber security context and to reduce or eliminate them. It will also be useful to educators, helping to build cyber security skills for the local and regional markets. Goal 3: To utilise ICT as a means for enhancing the effectiveness, efficiency, inclusiveness, accountability and transparency of state governance. The equitable, effective and efficient governance of the state depends on the ability of all governance actors (the state, civil society and the private sector) to contribute optimally to development objectives. As noted above, an effective and implementable cybersecurity framework is central to the integrity, reliability and maintenance of development activity among all governance actors. In short, like other countries, as Samoa embarks on its digitalisation journey, cyber security is fundamental to progress. “We need to step up, and step up urgently on collaboration on cybersecurity, because you can’t have a smarter world, you can’t have e-commerce, you can’t have seamless digital transactions if you don’t have cybersecurity. It’s the flip side of the coin.” (Balakrishnan 2018). The handbook addresses CSP activity 2.1.3.
Audience This handbook is aimed primarily at the mid-level information technology (IT) manager and/or information security (IS) practitioner in all domains of governance.
7 The Cyber Security Handbook
However, it will also be helpful to: 1. Policymakers and senior executives (those in a strategic role); 2. Information technology (IT) managers and information security (IS) specialists who design and implement security policies (those in a tactical role); and 3. System architects, network engineers, system administrators, implementation and support technicians, and application specialists responsible for the IT operations of their organisation (those in an operational role).
Structure The handbook is divided into three parts, each suited to readers with different levels of expertise in the field and level within the organisation (i.e. strategic, tactical, or operational). The structure of the handbook is depicted in Figure 1 below.
Handbook Structure
Se ctio n III: C ybe rse curity Implem e ntatio n
C2 C4 C6 C7 D6 D7 E3 E6
Se ctio n II: C ybe rse curity Fram e w o rk E7 H3 H4 H5 H8 I6 I8 K4
K6 L2 N2 N3 N6
C2 L2 N2
E3 H3 N3
C4 H4 K4
H5
C6 D6 E6 I6 K6 N6
C7 D7 E7
H8 I8
Se ctio n I: C ybe rse curity Landscape
Source: Neocapita Consulting. Figure 1: Handbook structure.
It has three sections: landscape, assemble the framework, and implementing the framework.
Section I: The Cyber Security ‘Landscape’. This section addresses the following questions: why do we need cyber security? What is the worst that can happen? Who is the enemy and what are their motives likely to be? And what general forms – and stages - can cyber security attacks take? This section will be most helpful to policymakers or board members or senior executives who want to bring cyber security to the foreground of the organisation’s ‘consciousness’. It is hoped that this general awareness of the cyber security ‘landscape’ will encourage the organisation to take preventative and, if necessary, remedial action. Section II: Designing the Cyber Security Framework. This section outlines the main steps that must be taken to produce a cybersecurity framework, including: § First, acquiring a clear understanding of the relevant laws and regulations under which the organisation operates; § Second, understanding what international cyber-security standards might be most applicable;
8 The Cyber Security Handbook
§ Third, becoming familiar with any national security policy that might be in place as well as any sector-specific cyber security frameworks that exist; § Fourth, the conduct of a risk assessment within the sphere of operation and responsibility of the organisation; and § Fifth, the application of general design principles, whatever form the cybersecurity framework might take. Section III: Implementing the Cyber Security Framework. This section sets out what can be done practically under a cybersecurity framework to defend the organisation against attack. Throughout the handbook, the cyber security actions that are suggested normally will entail the creation and updating of a [Document] named in square brackets and in bold text, to be filed in a [Section] of the cyber security protocol. If followed, these actions will enable you to develop a cyber security protocol for your organisation.
Section I: Understanding the Cyber Security ‘Landscape’
What is Cyber Security? Cyber security refers to the body of standards, tools, and techniques used to protect against the criminal or unauthorised use of electronic data and computing assets. Put another way, it is all the things we can do to protect computer resources (data, systems, assets, capabilities) from misuse. The things we ‘do’ include writing policy, laws, regulations, and contracts; assessing risks and threats; developing a strategy for protecting resources; selecting tools and toolsets; using those tools; monitoring their effectiveness; monitoring the environment; educating users about their roles in cyber security; providing assurances to customers/citizens; and repeating these tasks in a regular cycle of continuous improvement. However, it is highly unlikely that a system exists, or will ever exist, which is considered completely secure. As systems become more complex, so too their vulnerabilities, and how they are protected will also become more complex. An organisation’s cyber security practices should be considered a continuous process, aimed at maximising the confidentiality, integrity and availability (CIA)1 of resources (data, systems, assets, capabilities) of an organisation balanced against the cost and practicality of doing so.
1 See Annex B: Core Security Services.
9 The Cyber Security Handbook
Trade-off Risks to CIA for Cost, Usability, Practicality
Availability Cost
Confidentiality Integrity Usability Practicality
Source: Neocapita Security Consulting Figure 2: Cybersecurity is a trade-off between risks to CIA and cost, usability, and practicality.
Action 1. Open a discussion about cyber security with strategic managers. The key message is that cyber security should be a continuous part of the organisation’s “thinking” and have resources assigned to it like any other function in the organisation. Explain that there are structured ways of approaching cyber security – such as those set out in this handbook - which help to balance the protection of resources with the cost and practicality of doing so.
Why Do We Need It? The Internet is fundamentally insecure. “It’s not that we didn’t think about security…we knew that there were untrustworthy people out there, and we thought we could exclude them.” (David D. Clark, in Timberg 2015). In Samoa, “a wide variety of cyber security incidents are being reported, ranging from distributed denial of service attacks to Internet fraud.” (ITU 2018). When the Internet was originally designed, it was thought that only large computers (called mainframes) would ever connect. Mainframes were very expensive and only affordable to large universities, governments, and private sector companies. Given this limited group of mainframe owners, the Internet was designed and built to allow these actors to connect with each other, with little regard to the possibility of misbehaviour. If a mainframe acted maliciously, it would have been straightforward to identify the wrongdoer. With the advent of personal computers in the 1980’s the nature of the Internet changed. The number of Internet-connected computers grew exponentially. Soon after the personal computer, other devices were connected to the Internet: mobile devices, elevators, cameras, trains, buses, and toll gates, to name a few. The size of the Internet is said to be doubling every 5.3 years (Cisco 2011) and is now estimated at more than 20 billion connected devices and set to grow to 75 billion connected devices by 2025 (IEEE 2016). “What began as an online community for a few dozen researchers now is accessible to an estimated 3 billion people.” (Timberg 2015).
10 The Cyber Security Handbook
Today, the Internet is integral to all types of interactions between people and machines. Commerce, conferencing, collaboration, research, design, education, health, infrastructure management - the Internet is an indispensable part of modern society, upon which society has increasingly become dependent. But Internet growth has come at a price: one of the most important of which is security. Criminals now use the Internet to steal billions of dollars and millions of identities. According to the National Cyber Security Centre (a part of the Government Communications Headquarters, Government of the UK), 81% of large companies surveyed in the UK had been breached, incurring costs of between £600,000 and £1.5 million for each breach (ISBS 2014). One study estimates that 16.7 million instances of identity fraud took place in 2017 in the US alone (Javelin 2018). Governments also use the Internet for state surveillance of their citizens and cyberwarfare. Names like Stuxnet, Regin, Gauss, Turla, Red October, and Flame, represent a new class of warfare - committed by sovereign actors - that even a few years ago was only considered science fiction. Hacktivists use the Internet for their own political agenda. The first widely-known act of hacktivism occurred in October 1989 when Australian hacktivists deployed malware that infected the computers of NASA and the US Department of Energy. The malware was responsible for altering the computer log- in screens to read “WORMS AGAINST NUCLEAR KILLERS…your system has been WANKed”. Whilst this might be considered a mildly irritating politically motivated prank, it demonstrated the vulnerability of such systems – and to all transactions on the Internet - to much more serious and threatening attacks. Communicating via email, instant messaging, voice calls, gaming, banking, shopping, government services, machine to machine “In GCHQ we continue to see interactions, industrial control systems for manufacturing, real threats to the UK daily, infrastructure monitoring, surveillance, border control, warfare: all and I’m afraid the scale and happen across cyberspace and all are vulnerable. rate of these attacks shows Cyber security is designed to prevent interruption to, and to protect, little sign of abating.”, Robert such interactions and services. It should attempt to do so in ways that Hannigan, Director GCHQ, maximise the return on the investments made, enable compliance with p.3 Common Cyber Attacks: laws and regulations, and prevent financial and/or damage to reputation Reducing the Impact. of citizens, businesses and governments.
What’s the Worst That Can Happen? Clearly, the absence of a robust cyber security protocol in today’s modern online world has costly and harmful implications. According to Lloyd’s of London, it is estimated that almost half a trillion dollars each year is lost to hacking and cyber-crime, and that estimate is predicted to rise to $6 trillion annually by 2021 (Herjavec Group 2017). According to the ITU, roughly 80% of the world’s cyber-attacks are directed at Asian targets, and it takes 1.7 times longer in Asia (than the global median) to detect a cyber breach (p.12, ITU 2018). Not only do cyber-attacks cause financial loss and occur often, but as more of the world’s infrastructure goes online, people’s safety will be put at risk.
11 The Cyber Security Handbook
Identity Theft Identity theft is perhaps the fastest-growing financial crime. Identity theft occurs when a thief takes on the identity of someone else (the victim) to apply for credit cards, bank loans, to use the identity stolen to apply for other identity documents with greater benefits, or to perform deeds in the victim’s name. The thief can accrue debt in the name of the victim, perform deeds online that damage the reputation of the victim, and spend assets belonging to the victim; all without the victim’s knowledge. Once there are no further resources that can be extracted from the victim’s identity, the thief will usually move on. Victims may end up being liable for thousands of dollars of debt they didn’t incur themselves, and with no savings left in their bank accounts. Until the theft can be proven and the matter cleared up, which in many cases can take years, it might be impossible for them to find a job, make purchases, borrow money – and they may suffer other opportunity costs due to a damaged reputation and inability to prove their innocence.
Loss of Trust A government department that cannot protect the information it holds about citizens will have trouble maintaining the trust and confidence of users of its services. A company that cannot protect its customers’ information will undermine the trust that consumers place in the company when doing business with it, which may result in fewer customers, and even closure of the company if the financial implications of the loss of credibility are too great.
Financial Loss Much of the world’s financial records and systems are now online, hosted in private and corporate data centres, and representing trillions of dollars’ worth of assets. Unauthorised access to these records can result in the loss of those assets. Proving ownership or the current value of an asset may be impossible, if the electronic provenance of those assets is corrupted.
Embarrassment, Discrimination, and Persecution A cyber incident involving private information can embarrass people, and give others a basis for discrimination, and even persecution. An embarrassing situation caused by a cyber breach might relate to a person’s online habits or medical information. Discrimination might occur based on an individual’s voting records. Persecution might take place if religious beliefs, cultural group, or sexual identity information falls into the wrong hands. Within the European Union (EU), new regulations, known as the General Protection of Data Regulation (GPDR), address data protection and privacy. The GPDR is designed to give everyone control over their personal data and harmonises the legal environment across the European Union. Businesses failing to protect individuals’ data face substantial penalties for non-compliance - up to 4% of worldwide turnover or 20 million EUR, whichever is greater (EU 2015).
Interruption to Services The Internet is no longer just a place for us to send and receive email or to browse web sites. It is now the infrastructure that connects machines to machines. Transport, utilities, payments, customs, air traffic, surveillance, military, government, and other types of systems rely on the Internet to orchestrate the flow of information between them. Cyber criminals that can execute an attack on those networks can cause enormous damage.
12 The Cyber Security Handbook
Physical Injury Semi-autonomous and autonomous land, air, marine, and submarine vehicles are fast approaching the mainstream. For these vehicles to operate, they must transmit and receive information across the public Internet. Cyber breaches of their systems could result in vehicles malfunctioning, causing injury to passengers, pedestrians, and property.
Action 2. Continue the conversation with strategic managers about cyber security. Be in a position to list the typical threats and risks to resources and try to explain the risks in terms stakeholders can relate to.
Who Is the Enemy? In the famous words of the 6th-century BC Chinese military strategist, Sun Tzu, in his military treatise ‘The Art of War’: “If you know the enemy and know yourself, you need not fear the result of a hundred battles”. This section explores the range of possible enemies, what motivates them, and how they operate – and it then presents a comprehensive framework for defending against them. Enemies in cyber space go by numerous names: • Cyber criminals are motivated by financial gain, which they pursue by creating and using fraudulent information or by selling off valuable information. • Industrial competitors can be motivated to gain a commercial or economic advantage for their company or country. • ‘Hackers’ are motivated by the intellectual challenge to crack open a system and earn kudos from their peers for doing so. • ‘Hacktivists’ or activist hackers are motivated by political or ideological reasons and can attack companies or government systems to make their point. • Employees or others who have legitimate access to information and system resources can intentionally or accidentally damage or misuse resources. • ‘Script kiddies’ engage in malicious behaviour largely for the purposes of fun and entertainment, and although they have few resources at their disposal with which to prepare and deliver attacks, they are large in number (ITU 2018).
Stages of an Attack To understand what enemies can do, let’s first consider the general form of an enemy’s attack. Most cyber-attacks are carried out in four stages: research, delivery, breach, and affect (NIST 2018).
The Four Stages of an Attack
Research Deliver Breach Affect
Figure 3: Four stages of a cyber-attack.
13 The Cyber Security Handbook
Research In the research stage, hackers will gather information to research the system or organisation to be attacked. Researching an attack could involve the hacker speaking with past or present employees to gather intelligence on the structure of the system and the controls around it, or it may involve using system-penetration-testing tools to discover the types of systems operating behind the network perimeter. Research can involve delving through the organisation’s waste paper for passwords inadvertently written down and thrown out by an employee.
Delivery In the delivery stage, the hacker will deploy the computing capabilities they have designed to cross the network perimeter and prepare to breach the system and cause the effect. Delivery can be automated, say, when an email is sent to a member of staff with a malicious attachment that is opened. Delivery can be manual, say, if an employee unwittingly plugs a flash drive into a computer on the network, a flash drive given to them by a visitor to the office.
Breach In the breach stage, the hacker will execute the capabilities they have inserted within the network perimeter to cause damage, to prevent access or operation, or to launch further breaches and effects. The breach of the network or system can be limited and narrow or it can be comprehensive and wide. A breach may be comprehensive but with little effect, say, a web site’s administration is hijacked (i.e. breach) causing the home page to be replaced with an irritating message. The breach can also happen over a long period of time, and in stages, with one breach summoning capabilities to cause other breaches, widening the holes in the network perimeter. A breach can also be seemingly harmless, say, a small piece of code inserted into the operating system loaded on a SCADA2 industrial controller which causes it to run tasks a little slower than usual (the breach), but with catastrophic implications: say, if the industrial controller was responsible for the operating speed of the centrifuges that keep a nuclear reactor core coolant at a stable temperature.
Affect In the affect stage, the hacker’s capabilities eventually impact the systems and the result of the hacking becomes known. The effect could be instantaneous and easy to see (e.g., a website home page that contains a message in large red font), or gradual and very difficult to notice (e.g., a centrifuge deep inside a nuclear facility spinning a few revolutions-per-minute slower than usual).
Action 3. Learn the four stages of an attack. This will help you think through what protective measures might be needed to thwart malicious activity when you design controls, measures, and metrics for your cyber security protocol. See Annex J: Examples of the CIS Controls, Measures, and Metrics, for reference to a comprehensive list of controls, sub-controls, measures, and metrics; that can be used as protective measures.
2 SCADA is an acronym for Supervisory Control and Data Acquisition.
14 The Cyber Security Handbook
Types of Capabilities Cyber security attacks can be mounted using one of two types of capabilities: commodity or bespoke.
Commodity Capabilities that involve the use of readily available off-the-shelf tools and techniques, and that are simpler to use, can be thought of as ‘commodity’ capabilities. Often the tools designed and built for security specialists (like system penetration testers) are also the tools of an attacker. Common tools for commodity attacks include: Metasploit, Wireshark, Nmap, Aircrack-ng, Wifiphisher, Burp Suite, OWASP ZAP, Impacket, CrackMapExec (CME), John the Ripper, SQLMap, Browser Exploitation Framework (BeEF), THC-Hydra, Social Engineer Toolkit (SET), SecLists, and Kali Linux.3 See section III of this handbook for a comprehensive list of cyber tools and toolsets.
Bespoke Capabilities that involve the development of specifically targeted tools and techniques, and that are more difficult to deliver and use, are referred to as bespoke capabilities. Often these capabilities are specifically programmed with detailed working knowledge of cryptography, protocol engineering, specific hardware, software and networking vulnerabilities; these are exploited to enable the attack. Infamous bespoke attacks include: Stuxnet (targeting Iranian nuclear facilities), GhostNET (103 countries targeted), OpIsrael (targeting Israeli organisations), Bronze Soldier of Tallinn (targeting Estonian public and private sector organisations), and Flame4 (targeting Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt).
Types of Attack Then, cyber-attacks can be directed in one of two different ways: targeted or arbitrary. The difference between a targeted and an arbitrary attack is important, as each will require a different defence.
Targeted & Arbitrary Attacks
Targeted Arbitrary
Organisation Organisation
Source: Neocapita Security Consulting. Figure 4: Targeted and arbitrary attacks.
3 A more comprehensive list of tools and an explanation of each toolset category are set out later in this handbook. 4 Online source: https://cyber.harvard.edu/cybersecurity/Flame, accessed: May 11 2018 @ 5:49 pm
15 The Cyber Security Handbook
Targeted A targeted attack means that a system or organisation has been singled out by a hacker. The survey phase of the attack could have taken months to prepare. A targeted attack is typically costlier and more damaging because the capabilities deployed are peculiar to the systems of the organisation. A targeted attack will require specific programming and typically the knowledge of more than one system to deliver the capabilities, breach the layers of defence, and hit the target. Typical attack methods include: spear-phishing5 (targeting an employee to gain access to systems), deployment of a botnet6 (using a collective and cooperative group of computers to deploy the attack), and subverting the supply chain (diverting equipment temporarily to implant a new capability on the equipment and then return it to the supply chain for provisioning inside the organisation).
Arbitrary An arbitrary attack means that your system or organisation is just one of many that has been targeted. The survey phase is typically short, which means the hacker has little knowledge of your specific systems or organisation. The attacker in this case has probably made thousands of indiscriminate attacks in the hope that a system has a vulnerability which allows the attack to breach and affect the target systems. Typical attack methods include: phishing (sending out emails with requests for access with a false pretext to justify the email), water-holing (setting up a similar looking website to take advantage of website visitors), ransomware (encrypting data and then offering the decryption keys to make the data readable again, but for a payment), and scanning (attacking large numbers of computers on the Internet with no pattern).
Not All Hackers Are Enemies
‘Black Hats’ ‘Black Hats’ are unethical hackers who are not authorised to perform the hacking activities. In most jurisdictions around the world today, hacking is a crime. Hackers operate outside the law and have a malicious intent and can take years to track down and convict for their offences.
‘White Hats’ ‘White Hats’ are ethical hackers who are authorised to perform the hacking they perform, sanctioned by the system owners to penetrate the system and to help the system owner better protect it. They are also known as penetration testers. In some cases, like the well-known case of Kevin Mitnick, the twice- convicted hacker who now runs a legitimate business in computer security consulting, ‘Black Hats’ can become ‘White Hats’ and it can be very profitable to do so.
5 See Annex D for an explanation of the term ‘spear-phishing’. 6 See Annex D for an explanation of the term ‘botnet’.
16 The Cyber Security Handbook
Section II: Designing the Cyber Security Framework
Assemble the Framework If a cyber security framework is to be considered comprehensive - i.e.. leaving as few vulnerabilities as possible - then cyber security tools and toolsets, techniques, and capabilities should be implemented in each of these core functional areas: identify, protect, detect, respond, recover.
Figure 5: A comprehensive cybersecurity protocol implements tools/toolsets, techniques, and capabilities for five core functions (NIST 2018).
Actions 4. Create an electronic (or paper-based) folder for your organisation’s cybersecurity protocol. 5. Insert a divider labelled: [Overview]. 6. Insert five additional dividers and label them, one for each of the five functional areas: [Identify], [Protect], [Detect], [Respond], [Recover]. Information you create as we work through this handbook will be recorded in one or more of these sections. The folder will represent your organisation’s cyber security protocol.
1. Know the Applicable Laws and Regulations The rights and responsibilities of the organisation, under the respective laws and regulations of the jurisdiction in which the organisation operates, should be known. This may involve obtaining legal and regulatory advice. The rights and responsibilities of the organisation might require special consideration in the cyber security framework. For example, if user’s have a ‘right to be forgotten’, then the organisation will be obliged to provide assurance that data removal takes places and can be proved. It is common for organisations to have to comply with many laws/regulations (and cyber security frameworks), e.g. a government department might have to comply with a privacy law, an electronic identity law, an electronic communications law, a crimes law, a sector strategic plan, and a national cyber security policy.
Action 7. Make a list of the policy, legal, and regulatory instruments that pertain to your organisation [Governing Instruments]. You may need to get legal advice to know which instruments are relevant. These documents are typically published by your government and/or industry/sector regulator. You may also need to consult with your executive team to determine the relevant instruments. File this document in the [Overview] section of your cyber security protocol.
2. Apply International Standards To develop an effective cyber security framework - reliance can and should be placed on existing good and best practices. A reliable source of these practices can be found in international standards, publications by industry associations, and cyber security assessment frameworks.
17 The Cyber Security Handbook
The best-known international cyber security standards (also known as an information security management system (ISMS)) is laid out in the ISO/IEC 27000 family of standards. Publications from the Centre for Internet Security and the SANS Institute’s “Reading Room” are also well-respected sources of cyber security standards and guidelines. Guidance for how to structure and implement a comprehensive cyber security framework can also be found in assessment frameworks (those used to score and rank the cyber security capabilities of countries and organisations among their peers), like the Cyber Capabilities Model by the Global Cyber Security Capacity Centre (GCSCC).7 Knowing what cyber security assessments are made is helpful to designing an organisation’s cyber security “stance”.
Action
8. Make a list of or add to the previous list [Governing Instruments] the international, regional, or industry standards that your organisation is governed by. Differentiate between compulsory and voluntary standards. You may need to consult with your executive team to determine the relevant instruments.
3. Take Account of National Frameworks (if any) Next, reference to regional and/or national cyber security frameworks can help to identify specific considerations to make. In some cases, regional/national frameworks have been derived from international standards anyway, and in those cases there will be a good fit between them. Some examples of national cyber security frameworks are listed here: • National Cyber Security Policy (Samoa); • ISKE (Estonia); • IT “Grundschutz” (Germany); • Information Security Manual (ISM) (Australia and New Zealand)8; and • Cyber Security Framework (CSF) (National Institutes for Standards and Technology, United States).
Action
9. Make a list of or add to the previous list [Governing Instruments] the national cyber security frameworks or policies that your organisation is governed by. In Samoa, this might be the Samoa National Cyber Security Policy 2016-2021. You may need to consult with your executive team to determine the relevant instruments.
4. Take Account of Sector Frameworks (if any) Depending on which sector your organisation belongs to, there may also be relevant and useful frameworks available that apply to the sector as a whole. Sector-specific cyber security frameworks provide greater specificity over the descriptions and prescriptions offered, accounting for the particular characteristics and requirements of organisations in that sector. For example, a financial institution that provides a payment card for customers to access their funds and make payments, requires special cyber security provisions to be made to protect the information on the payment card. The Payment Card Industry Data Security Standard (PCI DSS) framework identifies the vulnerabilities, risks, threats, controls, measures, and metrics that need to be considered to protect card information.
7 Said Business School, University of Oxford. 8 Both Australia’s and New Zealand’s national cyber security frameworks are named the same.
18 The Cyber Security Handbook
Actions 10. Make a list of or add to the previous list [Governing Instruments] the sector- or industry-specific policies that your organisation is governed by. You may need to consult with your executive team to determine the relevant instruments.
5. Identify Risks Relevant to the Organisation To prioritise and sequence which cyber security risks are relevant to the organisation (and therefore addressed by the cyber security framework to be designed and implemented), a risk assessment should be conducted. This is also referred to as a ‘threat assessment’. The organisation’s board or strategic managers should determine which risks are to be mitigated for, based on the likelihood that the risk might materialise and the effect on the organisation should they do so. For example, if the data logged by a microcontroller embedded in the air conditioning system about temperature at particular dates and times are of low commercial value to the business of a car dealership, then investing in a more expensive air conditioning system with encrypted data logging would be unnecessary. However, if the same car dealership might lose its customer and financial records because its servers were located on the premises and positioned next to a high-pressure water reservoir, and were assessed as having a high likelihood and a high impact if something were to happen to them, then it would make sense for the organisation to mitigate for the threat of a water tank rupture in the cyber security protocol. To undertake the risk assessment, review the threat taxonomy in Annex E and describe each in terms of likelihood and impact in a quantitative and qualitative way.
Actions
11. Review each instrument listed [Governing Instruments]. Identify all clauses that require your organisation to protect a resource (data, systems, assets or capabilities). Protection might be to confidentiality, integrity, or availability. It is often helpful to create a table in a new document [Resources]. List every resource requiring protection, and include a column for a rating of the confidentiality, integrity, and availability levels that should apply to the resource. These dimensions might be rated low, medium, and high. For example, a requirement in a regulation might read: “…your organisation must keep a register of all cash payments received and all changes to that register of information must be recorded for auditing purposes…”. To deal with this requirement in your cyber security protocol, you might list “cash payments data” as the resource, and assess confidentiality as medium, integrity as high, and availability as low. The end result of this action is a comprehensive list of the resources [Resources] in the organisation that require protection and the degree and type of those protections. This list [Resources] can be filed in the [Identify] section of your cyber security protocol folder.
6. Determine the Scope The scope of the cyber security framework will determine what data, systems, assets, and capabilities are protected. But rarely do organisations work in complete isolation from all others. Typically, they rely on resources that are produced by other organisations, and provide goods and services to yet other organisations. So the risks to interruption of trading partners’ businesses have an indirect effect on the organisation. Interruption to suppliers might also need to be addressed within the scope of the cyber security framework.
19 The Cyber Security Handbook
Scope of the Cyber Security Protocol
Service Provider B-A
Service Provider B-B
Service Provider A Service Provider B-C
Service … Provider B
Supplier B-X Customer 1 Service Provider C
Your Customer 3 … Supplier B-Y Organisation
Supplier X Customer 2 Supplier B-Z
Supplier Y
Supplier Z
Figure 6: Define the scope of your cyber security protocol by understanding dependencies to protect your resources.
A well-known example of an organisation identifying its cyber security boundary along its value chain, is that of Apple. Apple works intensively with key suppliers to protect theft of intellectual property, ward off attempts at industrial espionage, and extends its own cyber security protocol into the organisations of its key suppliers. An infamous example of a government department that underestimated the scope of the cyber boundary was the Government of Estonia in 2007. Having moved most of its government infrastructure online, a large scale hack caused most of the country’s government services to come to a halt. The key consideration to make when determining the scope of the cyber security policy is how many degrees of separation does the scope imply? Does the policy apply to just the organisation (one can think of this as zero degrees of separation), or does it apply to the organisation and its immediate suppliers and customers (one degree of separation), or does it apply to longer segments of the whole supply/value chain of which the organisation is a part (two or more degrees of separation)? In the case of a government department, the key consideration is similar but instead of ‘customers’ it would be asked how ‘citizens’ and other actors in civil society would be treated in the cyber security policy.
Actions 12. In your resource list above [Resources], flag if there are external dependencies with other organisations to maintain the CIA of one or more resources. For example, an external dependency would exist for your organisation if it depended on a bank or banks and a banking system to keep electronic records of cash or other financial transactions involving your organisation. Form a new list [External Dependencies] of resources and the organisations for which there is an external dependency involved in maintaining security over the resource. You can file that list in the [Identify] section of your cyber security protocol.
20 The Cyber Security Handbook
13. Now, you are in position to conduct a threat and risk assessment [Threat Assessment]. This action helps you to estimate the likelihood and impact of each kind of threat to your organisation’s resources. For each resource in your resource list above [Resources] and each aspect of the CIA triad you have rated, consider each category of threat in the threat taxonomy in Annex E. Not all threats will be relevant. Only if a threat is relevant should you go further and assess the likelihood and impact of the threat regarding the confidentiality, integrity, or availability of the resource. Ideally, use a numerical rating, if possible. Impact can be scored from 1 = little to no impact on the organisation to 5 = a severe impact that prevents the organisation from operating altogether. Likelihood can be scored from 1 = very unlikely to 5 highly probable. The impact and likelihood scores can be multiplied together to give them a risk rating. All of the risks can then be ranked by the risk rating given. You can file the [Threat Assessment] in the [Overview] section of your cyber security protocol.
7. Understand the Essential Design Principles There is no ‘magic bullet’ to designing and implementing a cyber security framework, but there are some well-established design principles to follow. Adherence to the following principles will maximise the robustness of your cyber defences, minimise vulnerabilities in the design, and make the cyber security protocol responsive to change in the context, all while minimising the resources needed to implement and maintain defences. The essential design principles are: Defence-in-Depth: implement this principle by designing complete perimeters or layers of defence around resources. These perimeters can comprise physical and/or logical controls. An example of a physical control might be a server room with a fingerprint scanner. An example of a logical control might be permissions granted to the user only to allow reading data from a file server folder, but not writing to the folder. Tools to help implement this principle include the use of firewalls, stateful packet inspection services9, demilitarised zones, VLANs, VPNs, and proxy services.
Actions 14. Draw a map of your organisation’s compound, building, and floor lay out. You could call this document [Resource Locations]. This document can be placed in the [Identify] section of your cyber security protocol. 15. Depict fences, walls, checkpoints, doors, and internal partitions on the map. 16. Mark out the locations where staff work from. 17. Mark the physical locations of resources: data, systems, assets, capabilities (i.e. where the people with those capabilities typically work from). Examples of resources to mark on the map include: wireless access points, servers, cable runs, patch panels, wiring cabinets, servers, power and data distribution facilities, power sources, ISP ‘points of presence’, lighting, and emergency services and marshalling areas. 18. Mark out routes for entering and exiting your organisation’s compound, building, and floors. 19. Determine if closed perimeters can be drawn around resources, particularly data, systems, and assets. Then determine if additional and concentric perimeters can be drawn around resources. If not, consider moving resources within your organisation so that perimeters can be made. Ideally, the most important resources should be innermost.
9 Stateful packet inspection is performed at levels above the transport layer of the OSI reference model, where sequences of packets (rather than single packets) which correspond to communication between applications across a network, can be inspected and filtered. See Annex D for a fuller explanation.
21 The Cyber Security Handbook
Monitor and Log Network Control Points: implement this principle by putting in place monitoring and logging of access at each point of control in your organisation’s infrastructure. The monitoring and logging system itself should also be secured (in fact, destruction of monitoring and access logs are often part of a well-executed cyber-attack). Log exceptional events first -creating an alert only when a noteworthy event takes place, rather than logging every single event around a control point. Then expand the monitoring and logging protocol to account for other noteworthy events, as more focus is required to understand what is happening on the network. Start with only the critical control points first - then expand to other control points in time. Too many alerts will just become unactionable “noise”.
Actions 20. On each perimeter, identify control points: points of entry and exit through the perimeter. Remember that control points may be logical or physical. An example of a logical control point might be the Microsoft Active Directory server on your domain which logs all file access attempts to the security events log. An example of a physical control point might be the server room door. 21. Identity and list in a new document the control points. Refer to the CIS Controls (CIS 2018) for a comprehensive list of controls that can be applied at each control point. Also see, sections ‘Natural Access Control’ and ‘Target Hardening’ below. You can call this document [Control Points]. This document can be placed in the [Identify] section of the cyber security protocol. Maintain Log Archives: implement this principle by naming all log files. Keep in mind that it will be important to identify the control point that the log pertains to, especially in the case of a cyber security incident or emergency. Wherever possible centralise log management and use a single log management application.
Action 22. Ensure that the location of archives, ‘at rest, ‘in motion’, and ‘in use’ are also noted in [Resources] and [Resource Locations]. Least Privilege: sometimes called the principle of ‘least authority’, implement this principle by always granting access to a computing resource to the minimum number of people, and at the minimum needed level, first. In time, as and when users request greater access for legitimate reasons, so would greater levels of access be granted.
Action 23. Write an access control policy for system administrators stating that the organisation will administer access to resources based on the principle of least privilege. You can name this document the [Policy: Access Control]. File this policy in the [Protect] section of your cyber security protocol. Patch and Configuration Management: implementing this principle can be done by applying hypervisor10, operating system, and application “patching”11. To do this, record the version numbers (version, major build, minor build) of each hypervisor, operating system (including virtual ones), and application operating on the network. Keep original vendor-supplied images of all software, with the accompanying hashed digests to prevent tampering or malicious images from entering the network. Automate the patching method wherever possible - for example, using an update server for anti-virus software or operating systems. Reduce the risks you have in the organisation by reducing the number of applications in use. Keep a single register of this information with dates and version numbers to be able to identify the chronology of changes for every system.
10 A hypervisor is an operating system or container designed to host other virtual machine operating systems. A hypervisor represents a layer of abstraction between the server hardware and the guest virtual machine operating systems it contains. See Annex D for a fuller explanation. 11 See Annex D.
22 The Cyber Security Handbook
Actions 24. Create an inventory of the applications in use at your organisation in the form of an [Application Inventory] document. Include hypervisors, operating systems, and utilities. You can file this document in the [Identify] section of your cyber security protocol. 25. Locate or create installation media or “images” of the applications in your inventory. 26. Create or record hashed digests for each application image. When creating hashed digests of your installation images the MD5 hashing algorithm can be considered ‘good enough’12 but for highly secure digests the SHA-2 or SHA-3 algorithms should be used. Record these hashes in your [Application Inventory] document as well as the path to their location. 27. Store these images in a secure folder on your file system (or on offline and off-site media) so that it can be kept up-to-date (as your applications are updated and upgraded). A cybersecurity incident could make it necessary to access these images and re-install software from them, back to a trusted and known version. Natural Access Control13: make it clear where people are supposed to be and not supposed to be. For example, painting the floor and doorway of a server room red implies a warning. Arranging desks and partitions to delineate staff space from visitor space provides visual cues that deter misuse of space and wandering. The office layout can be used to guide a visitor or a member of staff to where they should be and can imply where they should not be. Natural Surveillance: position ICT infrastructure and resources – such as wiring closets, wireless access points, guest resources, and emergency alarms - in plain sight of staff. Locating resources in places that are easily visible to many people deters tampering because it cannot be done easily without being noticed. Territorial Reinforcement: use visual cues and physical objects to communicate ownership of the ICT resources. Examples of this include using fences, coloured footpaths or flooring, signs, barriers, and obstacles.
Action 28. Create a new site and floor plan that implements the above principles of: natural access control, natural surveillance, and territorial reinforcement. Call this document [Floorplan]. File the [Floorplan] in the [Identify] section of your cyber security protocol. This is not necessarily the same as the [Resource Locations] map. It is the desired layout and configuration of physical assets, data, and systems, which you can work towards over time. Target Hardening: use physical barriers and security devices to make ICT resources hard to access. This could be in the form of key locks on USB ports to prevent the introduction of removable media to the network; locks on wiring and server cabinets; and zip ties with tamper evident seals to secure cable runs.
Action 29. Review the resources in your [Resources] document and flag which of those resources can benefit from target hardening. These flags will identify which resources need to be secured and you can work towards securing them over time.
12 The MD5 hashing algorithm has been broken for some time, i.e. it has been shown that two files can be constructed to result in the same MD5 hash, making the algorithm unsuited to the application of secure file fingerprinting. In February 2017, Google and Centrum Wiskunde and Informatica (CWI), the Dutch mathematics and computer science research institute, broke the SHA-1 algorithm, often used as the successor to MD5 for creating hashed digests of digital files. Google, Microsoft, Apple, and Mozilla have all announced that their browsers will stop accepting SHA-1 SSL certificates by 2017. 13 Krehnke, 2009.
23 The Cyber Security Handbook
Confidentiality-Integrity-Availability (CIA): Cyber security protections must safeguard one or more of these three aspects of resources (data, systems, assets, and capabilities). For example, an organisation’s risk management policy might say that: ‘citizens must have access to their data within 48 hours of requesting it.’ This is a statement of an availability objective. Each dimension of the security triad (CIA) will require different approaches and tools/toolsets for implementing safeguards: • Maintaining confidentiality will require the use of password managers, encryption, and obfuscation tools; and of data ‘at rest’, ‘in motion’, and ‘in use’. • Maintaining integrity will require the use of version control systems, hashed digests and digital signing infrastructure, and specialised proxy servers to mediate between a user and/or system request to perform operations on data, and the eventual performance of those operations. • Maintaining availability will imply the need for multiple network links between users and computing services; copies of data, backup operating system and application installation images; backup and recovery plans; disaster preparedness; and business continuity processes.
For further explanation of the CIA security services, see Annex B: The Triad of Security Services. Protect Data ‘At Rest’, ‘In Motion’, and ‘In Use’: ask the question: “Over the lifecycle of my data, where is it ‘at rest’, ‘in motion’, and ‘in use’?” Target the question at each resource in the organisation (data, systems, assets, and capabilities). Account for mobile access, remote connectivity, hybrid-cloud- , and cloud-based services when accounting for these locations and paths.
Action 30. Review your [Resources] list and identify tools and toolsets from Annex F: Tools and Toolsets that provide the degree of security service (i.e. CIA) required for each resource. Think about when the resource is ‘at rest’, ‘in motion’, and ‘in use’. This will require research on your part as to what each tool does specifically and how it can be used to secure the CIA of resources in one or more of these three states. Appropriate Access Control Methods: select the right access control method for the job, choosing from: attribute-based, discretionary, identity-based, and role-based methods.14
Action 31. Identify a suitable access control method for electronic data in your organisation. A common access control method is a combination of role- and discretionary-based access control. If your organisation is using a Microsoft Windows environment, implementing a role- and/or discretionary-based access control method is easily achieved using the Active Directory service. See Annex H: Microsoft Active Directory for more information. Update the [Policy: Access Control] document to reflect the roles to be implemented in the organisation and the privileges they will be assigned. Control Removable Media: restrict ways that media can be brought into and taken out of the organisation. Typical controls include the protection or locking of ports on computers and policy to prohibit the connection of devices unknown to the organisation, such as guest’s computers or mobile devices.
14 See Annex D for an explanation of each access control method.
24 The Cyber Security Handbook
Figure 7: USB port locks with key, and a notebook computer with USB with lock in place.
Actions 32. Consider the locking of all USB ports on the organisation’s computers. This can be done using USB locks. Update the [Policy: Access Control] to state your organisation’s position on the use of removable media on work computers. 33. Consider implementing a guest network, distinct from your organisation’s local area network, separated by a VLAN or router. Update the [Policy: Access Control] to reflect the use of a guest network for Internet access by guests of the organisation. You can extend this action further and create networks for visiting consultants or to separate departments from one another. Multi-Factor Authentication (MFA): authentication factors fall into three categories: (i) something you are, (ii) something you know, and (iii) something you have. An example of a factor that represents something you are would be a biometric imprint, say a retinal scan. An example of a factor that represents something you know would be a personal identification number (PIN) or password. An example of a factor that represents something you have would be a utility bill posted to your home address or a mobile device linked to your identity registration. Write Issue-Specific Security Policies: write policy documents that staff read and confirm that they have been read. It is advisable to record their acknowledgement in their employment record. To determine what an issue is (in this context) think of the behaviours required to resolve a cyber security problem and write them out. The problem to be resolved is usually the issue that is the focus of the policy, and the statements of expected behaviour form the basis of the policy document.
25 The Cyber Security Handbook
Examples of common issue-specific security policies include: • acceptable-use • risk management • vulnerability management • data protection, use, retention • access control • log aggregation, retention, and auditing • personnel security • physical security • secure application development • change control • email and internet use • incident response Examples of cyber security policies can be found at reputable sources like the SANS Institute15, and then customised to suit your organisation. The Accellis Technology Group’s “Cybersecurity Policy Handbook”16 provides a comprehensive list of policies you could consider for your organisation. Another good source of cybersecurity policy content is other government and government department websites, particularly from government departments of the governments of the ‘Digital Five’ (D5)17 group of countries.
Action 34. Write policies for issues relevant to your organisation. As suggested above, use other organisations’ policies as a guide. File these [Policy: Other] policies in the [Protect] section of the cyber security protocol. Educate Users Early and Often: require new employees to familiarise themselves with the organisation’s security policies. Use computer-based and other forms of training and consider using certification and other incentives.
Actions 35. Require that all new employees know about, understand, and abide by the organisation’s cyber security policies. Incorporate this requirement in human resource management policy and keep records of staff performance in these respects. 36. Develop an online test for new employees that measures their understanding of the organisation’s cyber security policies, which they must pass. Regular Audits: conduct spot-checks and more comprehensive audits, which can include: running an internal phishing program on your own employees;18 running exercises with penetration testing tools; setting up a “Red Team”19 to covertly create and launch cyber-attacks on your systems; and testing the organisation’s disaster recovery plan (DRP) and business continuity plan (BCP).
Actions 37. Select a phishing simulator tool and conduct an internal audit phishing exercise. You can call this [Internal Audit: Phishing]. See Annex F: Tools and Toolsets for a list of popular phishing simulation tools. You can file this in the [Detect] section of the cyber security protocol.
15 Online source: https://www.sans.org/security-resources/policies, accessed: May 23 2018 @ 4:05 pm. 16 Online source: https://accellis.com/wp-content/uploads/Cybersecurity-Policy-Handbook.pdf, accessed: May 26 2018 @ 5:07 pm. 17 The D5 consists of Israel, United Kingdom, New Zealand, Estonia, and Singapore. 18 A simple phishing campaign can be executed by constructing an email which blind copies all staff, 19 See Annex D.
26 The Cyber Security Handbook
38. Develop a DRP for your organisation [DRP]. Although the creation of a DRP is outside the scope of this handbook, some sources of guidance to produce a DRP are included in Annex I: Resources for IT DR/BC Planning. The [DRP] should be referred to in the [Recover] section of your cyber security protocol. 39. Develop a BCP for your organisation [BCP]. Although the creation of a BCP is outside the scope of this handbook, some sources of guidance to produce a BCP are included in Annex I: Resources for IT DR/BC Planning. The [BCP] should be referred to in the [Recover] section of your cyber security protocol.
8. Communicate the Policy The cyber security protocol represents the organisation’s cyber security stance. It should explain how the stance compares to international and national standards (if any); good and best practices; national and sector-specific frameworks (e.g. the Samoa National Cyber Security Policy); the risks the organisation has identified and how they will be treated under the policy; and the scope of the policy (who does the policy apply to?). A cyber defence is only as strong as its weakest link. Staff compliance with cyber security rules and practices is most often the weakest link in a cyber defence. It is important the cyber security policies are communicated to staff in terms of the desired behaviours they need to exhibit. Staff need to know that senior management have committed to a cyber security stance and have committed resources to establish and maintain that stance. Staff should be aware of the repercussions for the organisation (and possibly themselves) should they not maintain the correct behaviours. Staff should have opportunities to practice the expected behaviours and regular internal audits can support behavioural change. Introducing and refining the cyber security protocol will also require a structured approach to change management. Staff will need to know how to prepare for a change, how to make the change, and be reminded that the change has taken place and is now “business as usual”. And this will need to be repeated.
Action 40. Write out a list of the communication steps you will perform to: (a) socialise your organisation to the cyber security protocol; and (b) to maintain awareness of the cyber security protocol. All changes expected of stakeholders (staff, partners, customers, citizens), brought about as a result of implementing the cyber security protocol, should be communicated well in advance of the date/time they will come into effect giving stakeholders adequate time to prepare. All communiques should state clearly when the change will take effect. You can call this document [Communications Plan] and file this in the [Protect] section of your cyber security protocol.
27 The Cyber Security Handbook
Section III: Implementing the Framework
Implementing the Core Functions This section explains how to implement a cyber security framework’s core functions assuming that: 1. A list of all applicable laws/regulations has been identified; 2. International, national, and sector frameworks relevant to the organisation have been identified; and 3. A risk assessment has been undertaken that identifies what risks are relevant to the organisation, and what can be afforded given the organisation’s available resources.20
Figure 8: A comprehensive cybersecurity protocol implements tools/toolsets, techniques, and capabilities for five core functions (NIST 2018).
Implementing the tasks in the following five tables would be considered a best practice, consistent with most of the NIST Cyber Security Framework (NIST 2018). The actions listed throughout this handbook so far, however, represent a good start to cyber security operations for an organisation setting out to establish a cyber security capability for the first time – as would be the case for many Samoan organisations.
1. Identify This function determines what to protect and is implemented by completing the following tasks:
# Task 01 Identify the critical resources (data, systems, assets, and capabilities) that need protection by the cyber security protocol.
Action 41. In the case of government departments and/or the broader Government of Samoa (GoS), it will be crucial to understand the government-owned data, systems, assets, and capabilities that are considered critical national infrastructure (CNI). A good example of CNI would be the Samoa National Broadband Highway (SNBH). The SNBH is the government-owned wide-area computer network for communications and applications and comprises a collection of data, systems, and assets in the custody of the Ministry of Communications and Information Technology (MCIT).
02 Identify all organisational data flows and lines of communication. 03 Identify all external information system dependencies, including cloud and hybrid-cloud services. 04 Assign an importance rating or classification to all identified resources to indicate their importance to the organisation.
Action 42. Create a document to define the data [Classifications] to be used in your organisation. You can file this document in the [Identify] section of your cyber security protocol.
20 A comprehensive threat taxonomy is provided in Annex E to assist strategic decision makers to undertake a risk assessment including assessing resource vulnerabilities and to determine which organisational risks will be dealt with – not every risk can be planned for. Remember to conduct risk assessments in both qualitative and quantitative terms, and involve both technical and strategic staff in doing so. Finally, recognise that each time the risk assessment is performed - and it is recommended that it is performed at least annually - the resources identified, and that need protecting, may change.
28 The Cyber Security Handbook
05 Identify all cyber security roles and responsibilities in the organisation. 06 Identify the organisation’s position in the “supply chain” and/or its role in “critical infrastructure”. 07 Communicate this position to other links in the supply chain or stakeholders (suppliers, customers, partners). 08 Identify the legal, regulatory, and sector obligations. 09 Alter the governance mechanisms to include cyber security risk management. 10 Identify all resource vulnerabilities. 11 Identify the likelihoods and impacts of risks identified earlier. 12 Identify the risk mitigation measures the organisation will take. 13 Write down and communicate the organisation’s security policy (based on all of the above).
2. Protect Protections around resources usually comprise: (a) issue-specific policies, and (b) physical and logical/technical controls. A comprehensive list of the most widely used controls are published by the Centre for Internet Security (CIS) (CIS 2018). The current list of controls (version 7) cover three categories: basic, foundational, and organisational; and covers 20 sub-categories of controls21. The list covers hundreds of controls and represents industry best practice. The list has been developed with input from thousands of cyber security practitioners around the world. The protection function determines the safeguards to use and a comprehensive list of and is implemented by completing the following tasks:
# Task 01 Identities and credentials are issued to all staff. 02 Physical resources (server rooms, power supplies, network termination equipment, etc.) are physically secured. 03 Remote access to the network and systems is secured. 04 Access permissions are managed according to “least privilege” (and, if applicable, “segregation of duties”). 05 Network segregation is implemented. 06 Users are informed about the changes and trained in how to gain access. 07 Administrators or highly privileged users are trained in their special responsibilities in the cyber security framework. 08 Partners, customers, and vendors are advised of the security changes. 09 Senior executives are trained in their rights and responsibilities in the cyber security framework. 10 Cyber security staff, which in the case of a smaller organisation will be the body of IT staff, are made aware of the rules of governance over the security protections. 11 Data ‘at rest’ are protected using encryption, obfuscation, and access control.
21 This footnote is an excerpt from the CIS Controls document and is included here for the reader to understand how to use the CIS Controls material: “The list of controls is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode). To further clarify the Creative Commons license related to the CIS Controls content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.).”
29 The Cyber Security Handbook
# Task
Action 43. Select an encryption service and apply to the computers of all managers and executives’ computers. Document the encryption method used in a new document [Data at Rest] and file it in the [Protect] section of your cyber security protocol. If the executive is using a computer running Windows 10, then the BitLocker encryption service could be enabled. If the executive is using a computer running macOS, then the FileVault encryption service could be enabled.
12 Data ‘in use’ are operated upon only by known versions of applications. 13 Data ‘in motion’ are protected by secure protocols: SSL, SSH, SFTP, and/or HTTPS.
Action 44. Install SSL certificates on your organisation’s website. Ensure the details of the certificate correspond precisely to the legally-recognised name of your organisation. Ensure the administrative contact details are linked to an email alias, to prevent personnel changes from invalidating the administrative contact details. Record this information in a new document, [Data in Motion] and file it in the [Protect] section of your cyber security protocol.
14 Physical assets are managed according to a strict “chain of custody” over their lifecycle (acquisition, transfer, removal, disposition). 15 Redundancy and backup/recovery are introduced into the infrastructure to meet availability requirements. 16 Removable media slots on devices are secured, printers use quotas, and email attachment monitoring is implemented to prevent leaks of data from the organisation. 17 Integrity checks are performed on all software images for firmware, hypervisors, operating systems, and applications. 18 Development, testing, and production environments are separated in distinct and secure network zones. 19 Baseline (i.e. initial) configurations of all resources are captured and recorded.
Action 45. Select a tool for calculating SHA-2 or SHA-3 digests on your platform (e.g. Windows, macOS, Linux). Use this tool to generate file fingerprints for all application images and configuration settings. You can perform the digest calculation operation on the entire folder containing all contents for an application, but recognise that this will not provide information on which file has been corrupted or tampered with, only that something in the folder has been altered since the original digest was calculated.
20 Configuration change management is implemented so that changes are made incrementally and in a structured way, with a way to back out of the change if needed. 21 Backups of configuration information are kept and tested on a regular schedule.
Action 46. Add to the [Application Inventory] document in the [Identify] section of the cyber security protocol the location of, or the contents of, the configuration settings used in each application and system. Ideally, configurations should be maintained in the same way application images are maintained; commencing with a baseline configuration file and then with managed and controlled releases of changes. To get a sense for when application and configuration images need to be updated, ask the question: “How would I recover this application to its current state after an incident?”
22 Data destruction takes place in a secure way, both at a physical and a logical level.
Action 47. Develop a [Data Destruction] process document and file in the [Protect] section of the cyber security protocol. This document should outline the steps taken to destroy data once they have reached the end of their useful life. Examples of when to use the [Data Destruction] process include: when a computer or server has reached the end of its life and is to be disposed of, or when a computer is transferred from one user to another.
23 Incident response, disaster recovery, and business continuity plans are developed, documented, and managed.
30 The Cyber Security Handbook
# Task 24 Cyber security practices are included in the human resource management protocol (e.g. induction, transfer or termination, personnel screening, vetting, identity proofing, credential issuance, security clearances, etc.)
Action 48. Update your organisations human resource management processes to account for provision of computing resources to the employee during the induction phase, and the deprovisioning of computing resources following transfer or termination. Include a mechanism for dealing with sudden termination of an employee, which will require the revocation of access to computing resources before the employee is notified of employment termination. Document these four processes (Induction, Leaving, Transfer, Termination) in a [Human Resources Management] document in the [Protect] section of the cyber security protocol. Ensure the HR department adopts these process changes.
25 Repair and maintenance of organisational assets is logged, but also includes controls over custody at all times. 26 Remote access is logged and managed. 27 Monitoring and audit logs of all the control points are managed. 28 Communications and control networks are protected to ensure communication flows are available at all times.
3. Detect This function detects cyber security incidents and is implemented by completing the following tasks:
# Task 01 Capture a baseline of network operations and network data flows for systems and users. 02 Analyse an incident to establish the intended target and the attack vector (delivery, breach, and affect). 03 Event data should be monitored and logged from multiple sources and sensors, and correlated.
Action 49. If you’re using Windows Active Directory, implement system auditing and logging. The service offers precise and detailed logging of data to the Windows security event log.
04 Incident monitoring and alert thresholds are determined and implemented. 05 Network is monitored. 06 Physical environment is monitored. 07 Personnel activity is monitored. 08 Malicious code can be detected at entry and egress points on the network. 09 Unauthorised mobile code is detectable on the network. 10 Intrusion detection is implemented for devices, personnel, connections, software, and media. 11 Vulnerability scans are performed regularly on the network. 12 Those responsible for executing cyber security incident detection tasks have the appropriate skills and know their roles and responsibilities. 13 When cyber security incidents occur, the appropriate personnel are alerted immediately.
31 The Cyber Security Handbook
4. Respond This function puts in place a mechanism for responding to incidents and is implemented by completing the following tasks:
# Task 01 Personnel know their roles and responsibilities during an incident, and the order in which corrective steps should be taken.
Action 50. Create a document called [Roles and Responsibilities] and file it in the [Respond] section of the cyber security protocol.
02 Notifications from detection systems can be effectively triggered and received by the right people. 03 Forensic analysis can be performed in a controlled and predictable way. 04 Incidents exhibit a degree of containment because of a defence-in-depth approach. 05 Incident response plans are altered to reflect “lessons learned”.
Action 51. Create a document called [Lessons Learned] and file it in the [Respond] section of the cyber security protocol. Following an incident, update this document with information about new understanding or practices your organisation has gained after an incident response.
06 Evidence can be captured in a way that preserves the integrity of the storage media and the evidence.
5. Recover This function enables the organisation to be resilient and to restore itself after an incident occurs. The recover function is largely reliant on a sound disaster recovery and business continuity plan. The recover function is implemented by completing the following tasks:
# Task 01 A DRP exists and is tested regularly. See Annex I: Resources for IT DR/BC Planning. 02 A BCP exists and is tested regularly. See Annex I: Resources for IT DR/BC Planning. 03 A public relations person is appointed and knows what to do in the case of a cyber security incident or emergency.
Action 52. Add the name of the public relations spokesperson to your [Roles and Responsibilities] document in the [Respond] section of the cyber security protocol.
04 Recovery activities are communicated to key stakeholders (citizens, customers, partners, staff, managers, executives). 05 Off-site storage media is accessible, access to it is tested regularly, and the results of those tests are recorded.
Action 53. Add a log document called the [Media Test Log] to the [Recover] section of your cyber security protocol. In this document record the date of your backup media test and the result. Aim to streamline the recovery of resources to meet minimum tolerable times to recovery. Initially, test your capability often and early until the process can be executed efficiently. Time your process for recovery from the time you announce a simulated incident until the time you have full access to the recovered resource. Remember, a resource can be data, systems, assets, or capabilities.
32 The Cyber Security Handbook
Annexes
33 The Cyber Security Handbook
Annex A: The Three States of Digital Data The targets of cyber-attacks are resources: data, systems, assets, and capabilities. It is important to view data over a lifespan in which it can be in one of three states: ‘at rest’, ‘in motion’, or ‘in use’. When planning cyber security protections, consider all three states in order to provide complete protection. Doing so is a good practice.
Lifespan of Resources
Data ‘in motion’
Data ‘in use’ Data ‘at rest’
Client Server
Figure 9: Think of resources, like data, as being in either one of three states over their lifespan: ‘at rest’, ‘in motion’, or ‘in use’.
Resources ‘at rest’ includes: 1 Data representing application installation images either stored on file servers or downloaded from the Internet from a supplier portal. 2 Data on portable and removable media, like USB flash drives, CD or DVD media, or portable solid-state and hard disk drives. 3 Data on mobile phones, tablets, personal computers, and printers. 4 Data stored on network-attached storage devices and storage area networks. 5 Data stored on backup and disaster recovery media. 6 Data stored “in the cloud” or in applications that run locally on your computers, but store some or all of the application data “in the cloud” (hybrid-cloud). 7 Data stored in local and remote server caches, content distribution networks, and cloud storage providers like Dropbox, and Google Drive. 8 Assets stored in an unsupervised location before being configured and installed on the network. 9 Assets sitting unattended on an IT employee’s desk during configuration and installation. 10 Capabilities residing in a single person, e.g. the domain system administrator account password or a senior manager responsible for approving expenditure, but is unavailable at a critical time. Resources ‘in motion’ includes: 1 Computing equipment transported to the premises from a supplier’s warehouse. 2 Emailing configuration files and settings used to prepare the equipment for provisioning. 3 Website traffic returned to a browser over a HTTP protocol connection, instead of a HTTPS connection. 4 Using free public wi-fi hotspots and entering passwords into websites. 5 Removal and disposal of storage media. 6 Removal and disposal of equipment at the end of its life. Resources ‘in use’ includes:
34 The Cyber Security Handbook
1 Full memory encryption or the use of memory “enclaves” is in place. 2 Guaranteed memory isolation between applications is in place. 3 CPU-based key storage can prevent against a cold boot attack on memory to locate encryption keys in memory.
35 The Cyber Security Handbook
Annex B: The Triad of Security Services At the core of any cyber security protocol is the Confidentiality-Integrity-Availability (CIA) triad, a model to guide policies and implementation for information security within an organisation. Safeguards around resources should always be considered in terms of one or more of the security services. It is a good practice to do so.
Confidentiality Confidentiality can be thought of as the privacy of information. Measures taken on this dimension are designed to prevent information from falling into the wrong hands while making sure the intended people continue to have access to it. When we speak of confidentiality, we often mean the use of encryption and obfuscation.
Integrity Integrity of information requires consistency, accuracy and the trustworthiness of information to be maintained. Tools that can be used to ensure integrity include the use of file and folder permissions, access control lists (ACL), cryptographic checksums, message authentication codes, and hash digests. Data integrity is maintained when data is attributable, legible, contemporaneous, original, and accurate (ALCOA). Attributable means that it should be clear who created the data and ideally, a chain of provenance of the data should also be knowable. Legible means that it should be in a readable state when needed. Contemporaneous means that events involving the resource should be known at the correct date and time. Original means that the form of the data when it was created should be preserved and knowable. Accurate means that data is correct, truthful, complete, valid, and reliable.
Availability Availability of information depends on the right people having access to the right information at the right time. To ensure availability of information, systems need to be up and running, bandwidth needs to be sufficient, backup copies of the information might be needed, and failover and backup systems in place to handle outages of the main systems.
36 The Cyber Security Handbook
Annex C: What is a Resource? In the context of cyber security, resources are thought of as one of the following:
Data Data is defined as all electronically stored and transmitted information and meta-data. An example of data might be the data stored in a database for the organisation’s accounting system (i.e. enterprise resource planning (ERP) application).
Systems Systems are defined as the computing and connectivity components, or the ICT infrastructure. Systems can be broken down into three sub-systems: access devices like personal computers, mobiles phones, tablets, virtual machines, and thin-clients; distribution infrastructure components like: cabling, logical and physical, switches, wireless access points, multiplexers, routers, firewalls, and intrusion detection/prevention systems; and core services: more specifically file servers, print servers, backup equipment, identity and access management servers, storage servers, security appliances, and surveillance systems.
Assets Assets are defined as the physical containers, building, compounds, and facilities; that house and support the ICT infrastructure. Examples of “assets” would include heating-ventilation-air conditioning (HVAC) systems, fire detection and suppression systems, compound and building access control systems, access blocking and lockdown equipment, vehicular entry and egress systems, fences, cable protection and support infrastructure, business continuity energy sources, lighting, magnetic shielding and EMR detection systems, and waste heat and cooling management systems.
Capabilities We define capabilities as the availability and ability of the human resources to apply their skills and methods for operation and maintenance of the cyber security protocol of the organisation. An example of a cyber security capability includes: access to key personnel.
37 The Cyber Security Handbook
Annex D: Definition of Terms The use of precise language in cyber security is of the utmost importance to avoid miscommunication amongst stakeholders. The following terms are defined so that the prescriptions and descriptions in this handbook are clear and can be acted on with greater certainty about what will result from the actions.
Term Definition Access Control Attribute-based This method is used to manage access to resources, based on structured policy consisting of attributes and conditions. The attributes used in the policy can be a combination of those pertaining to the user, to the object for which access is requested, or the environment (e.g. time of day). Discretionary This method is used to manage access to resources, on the basis of who someone is or which group within an organisation they belong to. This method is typically used for ad-hoc access control as it largely relies on the discretion of the system administrator. Identity-based This method is used to manage access to resources, by looking up the identity requesting permission in a matrix that relates the permissions of users to resources for which access is controlled. Role-based This method is used to managed access to resources, based on an organisational role defined in the access control system. Users are assigned to one or more roles and access privileges are determined by looking up what role a user belongs to and then determining what resources are available on the basis of the user’s role membership. Advanced Persistent Threat “Advanced Persistent Threat (APT) is a term coined over the past couple of years for a new breed of insidious threats that use multiple attack techniques and vectors and that are conducted by stealth to avoid detection so that hackers can retain control over target systems unnoticed for long periods of time.” (Tankard 2011) Authentication The method to correctly associate a proof of identity stored in a system with a claim of identity provided in response to a challenge. For example, when someone is prompted to login to a system and given a username and password entry window to complete, the window represents the ‘challenge’ by the system: who are you? The user’s response is the nomination of an identity (i.e. entering their user name) and providing a Bot Bots are simply software that runs an automated task over the Internet. It short for ‘robot’ or ‘software robot’. Bots were first used in “web spidering” or ‘web crawling’, what Google does to index the web pages on the Internet. Botnet Botnets are groups of bots running on different devices. Botnets are best known for deploying distributed denial of service attacks. The word comes from ‘robot’ and ‘network’. Botnets can be rented out by criminal groups as commodity hacking tools. Brute Force Attack This type of attack involves trial and error using automated software. The most common form of brute force attack is to crack passwords by guessing a password and then modifying it by one character and trying again, repeating the process until the password is guessed. For long passwords (about 8 or more characters), this process fast becomes infeasible. In some systems, even short passwords are difficult to crack with this method because a thwarting mechanism is place whereby the time between a challenge (asking for the password) and the response (supplying the password) is exponentially delayed after each incorrect response (password guess). Challenge/Response The process of asking an individual to prove who they are by authenticating. The challenge is the request to authenticate. The response is the provision of credentials for checking and meeting the challenge. Choke Point A single point of entry and/or exit from a room or space where the flow of people are more spatially concentrated creates a ‘choke point’. Choke points are used to limit movement and slow down the flow of people to enhance control at that point. A well-known example of a choke point are the aisles made to funnel international travellers to interview with an immigration or customs officer. DDoS A distributed denial of service is a form of attack where the resources of a system are overwhelmed by network traffic from many hosts. With no one host responsible for the influx in network traffic sent to the target system, it is difficult to pinpoint which traffic to block to prevent the target system from being overwhelmed and crashing.
38 The Cyber Security Handbook
Term Definition Digest A file or message digest is the result of a one-way or “trapdoor” cryptographic hash function operating on the binary representation of the contents of a file. One-way means that it is easy to produce the digest from the file, but impossible to know the file from the digest. The digest or hash is a fixed-length output, regardless of the size of the file on which the cryptographic hash function operates. Examples of well-known hash functions used for creating file or message digests are: MD5, SHA-1, SHA-2, and SHA-3. MD5 and SHA-1 are considered broken, so for the best security use the SHA-2 or SHA-3 algorithms. DMZ A demilitarised zone, also referred to as a perimeter network, is a physical or logical subnet that contains and makes available to the outside world an organisation’s outside-facing network services, for example, the organisation’s web and email servers. The DMZ is a layer used to implement a defence-in-depth principle. A DMZ is used to introduce an additional network in between the public Internet and the organisation’s internal local area network. Hacker A person who uses computers to gain unauthorised access to data, systems, assets, capabilities. Identity Claims Identity claims are assertions made by a natural or legal person about identity attributes, which have not yet been proven by an identity proving event. Identity Proofs Identity proofs represent information vetted and attested to, then recorded against an identity record. Keyboard Logger Keyboard loggers are also known as key loggers, spyware, or ‘monitoring software’ and are software that records each keystroke of a computer and stores it, either locally on the device or sending it remotely via a network connection. Macro Virus Macro viruses are malware written in a language that is normally used to automate the function of an application. The best-known macro viruses are written for the Microsoft Office applications. Malware Malware is short for ‘malicious software’ and is general term for all types of software that is hostile or intrusive. Examples of malware include: worms, viruses, Trojans, ransomware, spyware, adware, and scareware. MitM A Man-in-the-Middle attack is an attack where network traffic is intercepted, altered, or eavesdropped upon as it is “in transit”. An example of an MitM attack is when traffic is captured from an unencrypted wireless connection in an airport. OSI Reference Model The Open Systems Interconnection (OSI) reference model is a conceptual model that explains how computer systems communicate with each other based on message passing up and down through seven functional layers. The model was adopted as an international standard by the International Standards Organisation (ISO) in 1984 as ISO 7498 and is often used to describe and understand what network traffic a security tool can view. Read more here: https://en.wikipedia.org/wiki/OSI_model
Online source: https://community.fs.com/blog/tcpip-vs-osi-whats-the-difference-between-the-two- models.html , accessed: May 24 2018 @ 11:34 am.
39 The Cyber Security Handbook
Term Definition Patching The process of applying updates and upgrades to software to ensure it is of the latest published version provided by the vendor. Phishing Phishing is an attempt to obtain confidential or privileged information for malicious purposes by impersonating a trustworthy source using electronic communication. The term is a neologism formed as a homophone for ‘fishing’ (with the f replaced for the ‘ph’ from the word ‘phony’) because the electronic message can be likened to the ‘bait’ laid out to catch a victim. Phishing is an example of the broader category of cyber-attack known as ‘social engineering’. Online source: https://wikivividly.com/wiki/Spear-phishing, accessed: May 29 2018 @ 9:24 am. Points of Presence A point of demarcation between two networks. For example, the point where an ISP network terminates and the customer’s network begins. Ransomware Malware that prevents access to a target resource, until a demanded action is taken by the victim. Usually the action demanded is the payment of a sum of money. “Red Team” “A red team is an inside group that explicitly challenges a company's strategy, products, and preconceived notions. It frames a problem from the perspective of an adversary or sceptic, to find gaps in plans, and to avoid blunders.” Online source: http://lexicon.ft.com/term?term=red-team, accessed: May 29 2018 @ 9:22 am. Resources Throughout this handbook, we refer to ‘resources’. Resources are the targets of attackers. Resources of an organisation are: data, systems, assets, and capabilities. Risks The Institute of Risk Management defines cyber risk as “financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.” (IRM 2018). Not every cyber risk may be relevant to an organisation. Discovery of which risks the organisation’s cyber security defences can and should mitigate for (relevance), should be assessed and documented in the organisation’s cyber security policy. Risks should be qualified and quantified in terms of the probability that the risk may materialise (likelihood) and the financial and/or non-financial cost to the organisation (impact) if it did materialise. Scareware Scareware is malware designed to frighten a user into buying and downloading unnecessary and potentially dangerous software, such as fake antivirus protection. Screen Scraper Screen scraping is the process of collecting screen display data (images) from one application and translating the image into characters so that another application can use the information. This is normally done to capture data from a legacy application to display it using a more modern user interface, but has been used as a way of recording screen information from afar using surveillance. A popular way of preventing this type of theft is with polarised screen filters. ‘Script Kiddies’ A term given to computer hackers who largely use pre-existing scripts and code snippets to launch cyber-attacks, rather than use custom code and bespoke attacks. Security Perimeter A security perimeter is a controlled and managed, logical or physical boundary between two layers of an overall network of computers. A security perimeter may be logical, like the boundary implemented by a network router and firewall between a private and locally-managed network and the public Internet service provider-managed network. A perimeter may also be physical, like the cabinet enclosing a rack of servers or the encasement of cable lengths suspended from a ceiling. Establishing security perimeters is part of a good defence-in-depth strategy to cyber security. Spear-phishing The fraudulent practice of sending emails seemingly from a known or trusted sender to bait the targeted individuals to reveal confidential information. See phishing, the arbitrary version of this type of attack. Combatting this attack involves educating users in the organisation to look for the tell-tale signs of a phishing attempt. Spoofing In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage. A typical spoofing attack is a web site pretending to be a legitimate website for a well-known online property, and then requesting information from visitors. Visitors tend to give over information asked by a well-known or trusted Internet service. Spyware Spyware is software that aims to gather information about the computer user without their permission and/or knowledge. Spyware falls into four categories: adware, system monitors, tracking cookies, and Trojans. Stateful Packet Inspection Stateful packet inspection refers to a capability of particular kinds of firewall and network monitoring tools to detect and track sequences of low-level data, that comprise high-level computer-to-computer transmissions of information. If one thinks of computer communications
40 The Cyber Security Handbook
Term Definition as analogous to a human conversation, then low-level data transmission might correspond to the letters and syllables uttered in the conversation, and high-level transmission might correspond to the words and sentences in the conversation. Stateful packet inspection services can then be thought of as the capability to understand a conversation’s topic, the parties involved, and the context of the conversation; by detecting and tracking the letters and syllables used by the participants in the conversation. The word “stateful” means the ability to understand the state of the higher-level transmission, based on “packet inspection” or inspection of the lower-level data. For example, while sending of an email – the email represents use of an application and the email being transmitted from one computer to another represents the high-level exchange of information. In order to transmit an email, however, computer systems must break the information down into smaller units of low-level data (eventually into voltages on a wire or light pulses in an optic fibre). Packet inspection and filtering is generally performed on the lower-level data; the network and transport layers (layers 3 and 4) of the OSI reference. Stateful packet inspection and filtering is performed at the level of the email application and the email text; the presentation and application layers (layers 6 and 7) of the OSI reference model. See also OSI Reference Model in this table. Threats Threats can be thought of as a new (or just newly discovered) incident, one that has the potential to do harm to electronic data or organisational assets. An often-used taxonomy of threats distinguishes between three types: natural, unintentional, and intentional. Natural threats correspond to potential harm caused by forces of nature (e.g. a cyclone). Unintentional threats refer to potential harm caused by accidental actions (e.g. an employee accidentally deleting a file). Intentional threats refer to potential harm caused by the wilful actions of person to cause damage (to data, to systems, and/or to the organisation) (). Trojan see Virus. Vector An attack vector is another way of saying: “the way in which an attack was researched, delivered, breached, and affected an organisation’s resources.” Virus A virus is a piece of computer software that can duplicate itself, which is unwanted, and has a negative impact on a computer system or body of electronic data. Vulnerabilities A vulnerability refers to a known weakness of a resource, one that has the potential to be exploited by an attack. A vulnerability is an opportunity for an attack to be successful.
Wardriving Wardriving is the act of searching for Wi-Fi wireless networks by a person usually in a moving vehicle, using a laptop or smartphone. Software for wardriving is freely available on the Internet. Water-holing Water holing or a watering hole attack is where an attacker recognises a group of users who frequent a specific website and then implant malware on that website to infect visitors from the group. Worm see Virus.
41 The Cyber Security Handbook
Annex E: Threat Taxonomy
Threat Threats Threat Details Category
Physical attack (deliberate / intentional)
Fraud Fraud by employees. Sabotage Vandalism Theft (devices, storage media and documents) Theft of mobile devices (smartphones./ tablets). Theft of fixed hardware.
Theft of documents. Theft of backup media. Information leakage / sharing
Unauthorized physical access / Unauthorised entry to premises
Coercion, extortion or corruption Damage from the warfare Terrorists attack Unintentional damage / loss of information or IT assets Information leakage / sharing due to human error
Accidental leaks / sharing of data by employees.
Leaks of data via mobile applications.
Leaks of data via web applications.
Leaks of information transferred by network. Erroneous use or administration of devices and systems Loss of information due to maintenance errors / operator errors. Loss of information due to configuration / installation error.
Increasing recovery time. Loss of information due to user errors.
Using information from an unreliable source Unintentional change of data in an information system Inadequate design and planning or improperly adaptation Damage caused by a third party Security failure by a third party. Damages resulting from penetration testing Loss of information in the cloud Loss of (integrity of) sensitive information Loss of integrity of digital certificates.
Loss of devices, storage media and documents
42 The Cyber Security Handbook
Threat Threats Threat Details Category Loss of devices / mobile devices. Loss of storage media. Loss of documentation about the ICT Infrastructure. Destruction of records Infection of removable media.
Abuse of storage platform. Disaster (natural, environmental)
Disaster (natural earthquakes, floods, landslides, tsunamis, heavy rains, heavy snowfalls, heavy winds)
Fire Pollution, dust, corrosion Thunder strike Water Explosion Dangerous radiation leak Unfavourable climatic conditions Loss of data or accessibility of IT infrastructure due to humidity.
Loss of data or accessibility of IT infrastructure due to temperature.
Major events in the environment
Threats from space / Electromagnetic storm Wildlife Failures/ Malfunction Failure of devices or systems Failure of defective data media. Hardware failure.
Failure of applications and services. Failure of parts of devices (connectors, plug-ins). Failure or disruption of communication links (communication networks) Failure of cable networks.
Failure of wireless networks. Failure of mobile networks. Failure or disruption of main supply Failure or disruption of the power supply.
Failure of ventilation or cooling infrastructure. Failure or disruption of service providers (supply chain) Malfunction of equipment (devices or systems) Outages Loss of resources
Loss of electricity.
43 The Cyber Security Handbook
Threat Threats Threat Details Category Cooling outages. Absence of personnel Strike Loss of support services Internet outage Network outage Outage of cable networks. Outage of wireless networks. Outages of mobile networks. Eavesdropping/ Interception / Hijacking War driving Intercepting compromising emissions Interception of information Corporate espionage.
Nation-state espionage. Information leakage due to unsecured Wi-Fi and/or rogue access points. Interfering radiation Replay of messages
Network Reconnaissance, Network traffic manipulation and Information gathering
Man in the middle / Session hijacking Nefarious Activity / Abuse
Identity theft (Identity Fraud / Account)
Credential-stealing trojans.
Receive of unsolicited E-mail Spam.
Unsolicited infected e-mails. Denial of service Distributed denial of network service (DDoS) (network layer attack i.e. protocol exploitation / malformed packets / flooding /
spoofing). Distributed denial of application service (DDoS) (application layer attack i.e. ping of death / XDoS / WinNuke / HTTP Floods). Distributed DoS (DDoS) to both network and application services (amplification / reflection methods i.e. NTP/ DNS /…/ BitTorrent). Malicious code / software / activity Abuse of resources. Search engine poisoning. Exploitation of fake trust of social media.
44 The Cyber Security Handbook
Threat Threats Threat Details Category Worms / trojans. Rootkits. Mobile malware. Infected trusted mobile applications. Elevation of privileges. Web application attacks / injection attacks (code injection: SQL, XSS). Spyware or deceptive adware. Viruses. Rogue security software / rogueware / scareware. Exploits/exploit kits. Social Engineering Phishing attacks.
Spear phishing attacks Abuse of Information Leakage Leakage effecting mobile privacy and mobile applications. Leakage effecting web privacy and web applications.
Leakage effecting network traffic. Leakage effecting cloud computing.
Generation and use of rogue certificates
Loss of (integrity of) sensitive information. Man in the middle / session hijacking.
Social engineering / signed malware (e.g. install fake trust OS updates – signed malware). Fake SSL certificates. Manipulation of hardware and software Anonymous proxies. Abuse of computing power of cloud to launch attacks (cybercrime as a service). Abuse of vulnerabilities, zero-day vulnerabilities. Access of web sites through chains of HTTP proxies (obfuscation). Access to device software. Alternation of software. Rogue hardware. Manipulation of information
Repudiation of actions.
Address space hijacking (IP prefixes).
Routing table manipulation.
DNS poisoning / DNS spoofing / DNS manipulations.
45 The Cyber Security Handbook
Threat Threats Threat Details Category
Falsification of records.
Address space hijacking. Address space manipulation.
Falsification of configurations.
Misuse of audit tools Misuse of information/ information systems (including mobile apps) Unauthorized activities
Unauthorized use or administration of devices and systems.
Unauthorized use of software.
Unauthorized access to the information systems / networks (IMPI protocol / DNS register hijacking). Network intrusion. Unauthorized changes of records. Unauthorized installation of software
Web-based attacks (drive-by download / malicious URLs / browser-based attacks). Compromising confidential information (data breaches) Hoax False rumour and/or a fake warning. Remote activity (execution) Remote command execution. Remote access tool (RAT). Botnets / remote activity. Targeted attacks (APTs etc.) Mobile malware. Spear phishing attacks.
Installation of sophisticated and targeted malware. Watering hole attacks.
Failure of business process Brute force Abuse of authorizations Legal Violation of laws or regulations / Breach of legislation Failure to meet contractual requirements Failure to meet contractual requirements by third party. Unauthorized use of intellectual property rights-protected resources Illegal usage of file sharing services. Abuse of personal data Judiciary decisions / court orders
46 The Cyber Security Handbook
Annex F: Tools and Toolsets The following is a current list of cyber security tools and toolsets that can be used to either breach protections or test that protections are effective.
Category Tools and Toolsets Intrusion Detection Systems Honeyd, OSSEC HIDS, OSSIM, Sguil, and Snort.
Multi-purpose Tools Core Impact, cURL Cyber Hacking Tool, EtherApe, Ettercap, Firebug, inSSIDer, Kismac, Kismet, Metasploit Penetration Testing Framework, Netcat, Netsparker, Netstumbler, Ngrep, Ntop, P0f, Paros Proxy, Rat Proxy, and USBee Air-Gap Hacking Tool. Packet Crafting Tools Hping, Scapy, Socat, Wireshark, and Yersinia. Packet Sniffers Cain and Abel, sniff, and NetworkMiner. Password Crackers Aircrack, Crowbar, John the Ripper, L0phtCrack, Medusa, ophcrack, Rainbow Crack, SolarWinds, THC Hydra, and Wfuzz. Port Scanners Nmap, Angry IP Scanner, NetScanTools, and Unicornscan. Cyber Security Linux Kali Linux, BackBox, DEFT, Fedora Security Spin, BlackArch, Pentoo, Cyborg Linux, Weakerth4n, Samurai Web Testing Framework, CAINE, Bugtraq, KNOPPIX, Matrix, NodeZero, Parrot Security Linux, and ArchAssault. Rootkit Detectors Advanced Intrusion Detection Environment, DumpSec, HijackThis, Sysinternals, and Tripwire. Traffic Monitoring Tools Argus, Nagios, and Splunk. Vulnerability Exploitation BeEF, Core Impact, dradis, Metasploit, Netsparker, Social Engineer Toolkit (SET), Tools sqlmap, sqlninja, and w3af. Encryption and Obfuscation VeraCrypt (Windows/macOS, Linux), AxCrypt (Windows), BitLocker (Windows), GNU Privacy Guard (GPG) (Windows/macOS/Linux), 7-Zip (Windows/macOS/Linux), DiskCryptor (Windows), Https Everywhere (Browser), Secure Shell (SSH) (network protocol), PuTTY (Windows/macOS). Data Integrity FCIV (Windows), shasum/md5/hmac/rsa (macOS), Adobe Acrobat, ItsDangerous. Password Managers Dashlane, StickyPassword, Keeper Security, Password Boss, LogMeOnce, Zoho, Vault, Lastpass, 1Password, RoboForm, Intel TrueKey, CyberArk Enterprise Password Vault, Pleasant Password Server, Mateso Password Safe. Phishing Simulators SecurityIQ PhishSim, GoPhish, LUCY, sptoolkit (short for Simple Phishing Toolkit), Phishing Frenzy, King Phisher, SpeedPhish Framework (SPF).
47 The Cyber Security Handbook
Annex G: Sample Cyber Security Protocol As you have worked through this handbook, actions have been recommended. Most of these actions have resulted in the production of documents which together comprise the cyber security protocol for your organisation. The table below lists the sections and documents that your cyber security protocol should contain, if you followed through with the actions listed:
Section Documents Overview Governing Instruments, Threat Assessment. Identify Resources, Data Classifications, External Dependencies, Resource Locations, Control Points, Application Inventory (with Configurations), Floorplan. Protect Policy: Access Control, Policy: Other, Communications Plan, Data Destruction, Human Resource Management, Data In Motion Detect Internal Audit: Phishing. Respond Roles and Responsibilities, Lessons Learned. Recover DRP, BCP, Media Test Log
48 The Cyber Security Handbook
Annex H: Microsoft Active Directory For an excellent primer on how the Microsoft Active Directory service can be used to protect and audit access to resources on your network, refer to the Paramount Defenses’ tutorial here: http://www.paramountdefenses.com/active-directory-security/model.html.
49 The Cyber Security Handbook
Annex I: Resources for IT DR/BC Planning The development of a disaster recovery and business continuity plan is outside the scope of this handbook. However, numerous reliable sources of guidance can be found on websites and in books, for how to develop these two important protocols for your organisations.
Resource Type Features ready.gov Website • Refers to NIST standards and guidelines. • Explains the use of vendor-supported recovery strategies. • Explains the DRP as a part of a comprehensive BCP. • Includes use of a Business Impact Analysis (BIA) to define recovery objectives. csoonline.com Website • Suggests use of DR as a service. • Emphasis on “updating” the DR/BC plans. • Emphasis on “priorities” – not everything in your business needs to be saved. techtarget.com Website • Provides a comprehensive template document to guide first-time planners. • Refers to NIST standards and guidelines. isaca.org Website • Provides helpful forums in which IT professionals discuss issues and considerations to make when DR/BC planning. Definitive Handbook of Business Continuity Book • Includes numerous case studies. Management, Third Edition, Andrew Hiles, • Includes practical checklists. FBCI, Editor (2011, John Wiley), ISBN 978- 0-470-67014-9. Risk Management Approach to Business Book • Authors created the international and British standards Continuity, Julia Graham, FBCI, and David for risk management. Kaye, FBCI, (2006, Rothstein Associates) ISBN 1-931332-36-3. Principles and Practices of Business Book • Comes with a CD-based toolkit with two dozen Continuity: Tools and Techniques, Jim planning and assessment tools. Burtles, FBCI, (2007, Rothstein Associates) ISBN 1-931332-39-8. Disaster Recovery Testing: Exercising Your Book • Focuses on how to test your DR/BC plan. Contingency Plan, Philip Rothstein, FBCI, • Written by DR/BC practitioners. Editor (2007, Rothstein Associates), ISBN 0- 9641648-0-9. Business Continuity: Best Practices, Andrew Book • Good for large organisations. Hiles, FBCI (2004, Rothstein Associates), ISBN 1-931332-22-3. Business Continuity Planning: A Step-by- Book • Good for small- and medium-sized organisations. Step Guide with Planning Forms on CD- ROM, 3rd Edition, Kenneth Fulmer (2005, Rothstein Associates), ISBN 1-931332-21-5. Auditing Business Continuity: Global Best Book • Focuses on the typical weaknesses of DR/BC plans. Practices, Rolf van Roessing, FBCI (2002, Rothstein), ISBN 1-931332-15-0. Template for Comprehensive Business Book • Contains numerous practical templates to guide the Continuity Management Program, 2nd planning process. Edition, Douglas Henderson (2008, Rothstein Associates), ISBN 1-931332-49-5. Business Resumption Planning, 2nd Edition, Book • Provides a roadmap for how to resume business Leo A. Wrobel (2008, Rothstein Associates), following a disaster. ISBN 9780849314599. IT Disaster Recovery Planning for Dummies, Book • Allows a planner to get a basic plan in place quickly. Peter Gregory, CISA, CISSP (2008, For Dummies), ISBN 978-0-470-03973-1.
50 The Cyber Security Handbook
Annex J: Examples of the CIS Controls, Measures, and Metrics The Centre for Internet Security (CIS) publishes and maintains a comprehensive list of cybersecurity controls that can be used by your organisation to protect resources. The list has been developed and refined by thousands of expert practitioners from around the world, based on real world experience. Once resources have been identified in your organisation and the level of protection decided, controls can be selected from this list and then applied. Each of the 171 controls specify a measure and levels that can be used to quantitatively assess how effective your controls are once implemented. A sample of the first 5 sub-controls are included here. The 20 controls and 171 sub-controls can be downloaded here.
Sigma Sigma Sigma Sigma Sigma Sub- Sigma Title Description Sensor Measure Level Level Level Level Level Control Level Six One Two Three Four Five
Utilize an What percentage of the organization's Utilize an active discovery tool to identify Active Device Active networks have not recently been 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% 1.1 devices connected to the organization's network Discovery Discovery scanned by an active asset discovery Less Less Less Less Less or Less and update the hardware asset inventory. System Tool tool?
Use a Passive Utilize a passive discovery tool to identify Passive Device What percentage of the organization's Asset devices connected to the organization's network 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% 1.2 Discovery networks are not being monitored by a Discovery and automatically update the organization's Less Less Less Less Less or Less System passive asset discovery tool? Tool hardware asset inventory.
Use DHCP Use Dynamic Host Configuration Protocol Log What percentage of the organization's Logging to (DHCP) logging on all DHCP servers or IP 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% 1.3 Management DHCP servers do not have logging Update Asset address management tools to update the Less Less Less Less Less or Less System / SIEM enabled? Inventory organization's hardware asset inventory.
Maintain an accurate and up-to-date inventory What percentage of the organization's Maintain of all technology assets with the potential to Asset Inventory hardware assets are not presently 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% 1.4 Detailed Asset store or process information. This inventory System included in the organization's asset Less Less Less Less Less or Less Inventory shall include all hardware assets, whether inventory? connected to the organization's network or not. What percentage of the organization's Ensure that the hardware asset inventory records hardware assets as a whole are not Maintain the network address, hardware address, machine documented in the organization's asset Asset Asset Inventory 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% 1.5 name, data asset owner, and department for each inventory with the appropriate network Inventory System Less Less Less Less Less or Less asset and whether the hardware asset has been address, hardware address, machine Information approved to connect to the network. name, data asset owner, and department for each asset?
51 The Cyber Security Handbook
References
Avast 2017. 9 Cybersecurity Terms You Need To Know. Online source: https://blog.avast.com/9- cybersecurity-terms-you-need-to-know, accessed: May 12 2018 @ 10:00 pm. Balakrishnan, V. 2018. Online source: https://mothership.sg/2017/12/vivian-balakrishnan-lecture- asean/, accessed: May 12 2018 @ 3:45 pm. BSI 2018. Glossary of Cyber Security Terms. Online source: https://www.bsigroup.com/en- GB/Cyber-Security/Cyber-security-for-SMEs/Glossary-of-cyber-security-terms/, accessed: May 12 2018 @ 9:57 pm. The British Standards Institute, United Kingdom. CIS 2018. CIS Controls. The Centre for Internet Security, March 19 2018. Cisco 2011. The Internet of Things - How the Next Evolution of the Internet Is Changing Everything. Online source: https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf, accessed: May 12 2018 @ 3:25 pm. Cisco Internet Business Solutions Group, Cisco Systems Inc. Council of the European Union 2016. General Protection of Data Regulation. Online source: https://www.eugdpr.org/key-changes.html, accessed: May 10 2018 @ 4:16 pm. Cygilant 2015. The Beginners Guide to Cyber Security Terminology. Online source: https://blog.cygilant.com/blog/the-beginners-guide-to-cybersecurity-terminology, accessed: May 12 2018 @ 9:55 pm. European Union 2015, The General Data Protection Regulation, EU-2016/679. Online source: https://ec.europa.eu/info/files/regulation-eu-2016-679-protection-natural-persons-regard-processing- personal-data-and-free-movement-such-data_en, accessed: May 12 2018 @ 2:41 pm Government of Samoa, Ministry of Communications and Information Technology, Samoa National Cyber Security Policy. Online source: http://www.samoagovt.ws/wp-content/uploads/2017/02/MCIT- Samoa-National-Cybersecurity-Strategy-2016-2021.pdf, accessed: May 23 2018 @ 3:24 pm Global Cyber Security Capacity Centre 2016. Cybersecurity Capacity Maturity Model for Nations. Revised Edition. GCSCC, Said Business School, University of Oxford, published 31st March 2016. Herjavec Group 2017. Annual Cybercrime Report 2017. IEEE 2016. Online source: https://electronics360.globalspec.com/article/6551/75-4-billion-devices- connected-to-the-internet-of-things-by-2025, accessed: May 4 2018 @ 3:38 pm Information Security Breaches Survey (ISBS) 2014. Online source: https://www.focus-on- training.co.uk/blog/gchq-advises-businesses-to-invest-in-information-security-training/, accessed: May 2 2018 @ 3:50 pm IRM 2018. Online source: https://www.theirm.org/knowledge-and-resources/thought- leadership/cyber-risk/, accessed: May 11 2018 @ 3:34 pm. The Institute of Risk Management. ITU 2018. Readiness Assessment Report To Establish A National CIRT For Samoa. International Telecommunications Union, May 2018. Javelin Strategy and Research 2018. Identity Fraud Study. Online source: https://www.javelinstrategy.com/coverage-area/2018-identity-fraud-fraud-enters-new-era-complexity, accessed: May 12 2018 @ 3:53 pm
52 The Cyber Security Handbook
Krehnke, M. 2009. Information Security Management Handbook. Auerbach Publications, New York, 2009. La Piedra, J. 2002. Information Security Process: Prevention, Detection, and Response. SANS Institute, Global Information Assurance Certification Paper. NIST 2014. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute for Standards and Technology, February 12, 2014. NIST 2018. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, National Institute for Standards and Technology, April 16, 2018. NGSC 2018. Online source: https://www.ncsc.gov.uk/guidance/10-steps-executive-summary, accessed: May 11 2018 @ 5:03 pm. National Cyber Security Centre (NCSC), Government Communications Headquarters (GCHQ, Government of the United Kingdom. Tankard, C. 2011. Advanced persistent threats and how to monitor and deter them. Network Security, vol. 2011, issue 8, August 2011, pp. 16-19. Elsevierˆ Timberg, C. 2015. Net of Insecurity - A Flaw in Design. Article in the Washington Post by Craig Timberg, published 30th May 2015. Online source: http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part- 1/?utm_term=.febce406143b, accessed: May 12 2018 @ 4:00 pm.
53