IS SECURITY AND THE DARK SIDE OF IT

Question 1

Reconstruction of the attack flow and identifying the safety constraints

Answer 1

1. Reconnaissance: the attacker identified and selected Equifax as a target —> this phase involves the use of network scanners and social media research. Overexposing the internals of software systems and their components to the public makes the attackers’ job easier.
   Safety constraint: Nondisclosure of unnecessary details about software used in IT systems
2. Weaponisation: constructing a malicious exploit in the form of a remote access Trojan virus, ready to be delivered into the victim’s computer system
   Safety constraint: Not applicable because actions occur outside the system and can’t be prevented by safety constraints
3. Delivery: the malicious exploit is delivered to the victim’s system (Equifax’s attackers exploited a vulnerability in Jakarta’s multipart parser used by Apache Struts 2 by sending a malicious content-type header in an HTTP request.)
   Safety constraint: Blockage of malicious requests sent by the attackers
4. Exploitation: the attacker’s code is executed, targeting a vulnerability in one or several elements of the victim’s software stack.
   Safety constraint: Elimination of critical vulnerabilities in the systems through patch- ing and vulnerability management
5. Installation: a remote access tool is deployed on the victim’s system to establish a presence inside the network and spread the attack (Equifax systems permitted access to their sensitive data through ACIS. This enabled the attackers to gain access to unencrypted application credentials for other sensitive Equifax databases, which stored confidential information and personal identifiable information)
   Safety constraint: System’s secure design principles:
   * Isolation principle: computer subsystems needs to be separated from each other using physical devices and/or security controls to minimize the number of possible ways an attacker can get into a device or network and extract data
   * Authentication principle: A software system should assume that other systems are untrusted and require authentication before granting access to its data. —> have a strong password and store application credentials in a encrypted format where it cannot be shared
   * Least privilege principle: restricts the rights and access of a user and system to only those needed to execute a task and thus limits the spread and potential impact of an attack.
6. Command and control: the attackers create a command- and-control channel that enables them to control the victim’s systems.

Safety constraint: Detection of suspicious traffic in the network with the Intrusion detection and prevention systems (IDS/IPS)
7. Actions and objectives: intruders harvest and exfiltrate unencrypted sensitive data.
Safety constraint: there are 3 mechanisms that could stop an attack
* Encryption: Proper encryption of data and effective management of encryption keys can protect the confidentiality and integrity of data even when attackers obtain unauthorised access to computer systems.
* Limit the data retained: ensure that only necessary data is retained.
* Data loss prevention (DLP): could have detected and blocked the bulk transfer of sensitive data outside of the network

Question 2

Shortcomings in Equifax’s Hierarchical Safety Control Structure

Answer 2

• Level 1: Equifax’s intrusion detection and prevention process (IDPP); the purpose of this process is to identify and block malicious activities in network traffic
• Level 2: Equifax’s IT and information security (ISec) team that operates vulnerability identification and PCI DSS compliance processes
• Level 3: Equifax’s management and board of directors that oversee the company’s strategy and operations, including risk management
• Level 4: Federal agencies (Federal Trade Commission and Consumer Financial Protection Bureau) and the U.S. states that have enforcement authority over the CRAs, and the payment card brands that enforce compliance with PCI DSS.

Question 3

Recommendations for Strengthening Cybersecurity

Answer 3

1. Limit sensitive data stored in the systems: The storage of sensitive data should be limited to only the information needed to provide a service. This data should not be retained beyond the time necessary to provide the service. The data should then be deleted, anonymised or aggregated for statistical purposes.
2. Embed Security into Software Design and Development. Embedding security into software design and development will enable organisations to address security vulnerabilities and mitigate security flaws earlier in the software lifecycle —> software should be designed following secure design principles (e.g., isolation, the principle of least privilege, data encryption)
3. Protect systems in operation from attacks: it is practically impossible to find and remediate all software “bugs” that make systems vulnerable to cyberattacks.—> Organisations should therefore limit the exposure of security vulnerabilities to attackers and protect software systems from the exploitation of such vulnerabilities + Organizations also need to make trade-offs between spending resources on efforts to add new features that will provide business benefits and fixing flaws in features that superficially appear to be working fine.
4. Identify attacks and block their spread: Organisations should therefore augment intrusion detection and prevention (IDS/IPS) systems with data loss protection (DLP) systems to identify, monitor and potentially avert exfiltration of sensitive data after a successful attack.
   ! Building in-depth defences requires a massive cross-functional effort that spans various teams, technologies and processes.

Recommendations for Embedding Cybersecurity Practices in the Organization: importance of having cybersecurity as a shared goal throughout the organisation
5. Ensure that Executive Leadership Has a Say in Cybersecurity Decisions: The organisations executive leadership must be in a position to take account of cybersecurity- related risks during decision-making, resource allocation and prioritisation.
6. Create a shared responsibility: as it helps to contextually mitigate cybersecurity risks across the enterprise and embed cybersecurity into every part of the organisation.
7. Foster communication and collaboration between security and IT teams: Executive leadership must establish cybersecurity goals and objectives and clearly communicate them to the security and IT teams. Provide transparency and shared goals!
Recommendations for ensuring the board prioritises cybersecurity: ensure that the board prioritises cybersecurity approves acceptable risk levels
8. Understand the Legal Implications of Cybersecurity Risks: an organisation can be subject to a growing number of regulations and laws relating to data security, with little or no coordination among rule makers and regulators. The board should therefore assess whether the organisation has comprehensively evaluated and addressed cybersecurity risks from a legal perspective
9. Educate board members on threats and vulnerabilities relevant to their organisation
10. Ensure that There Is an Organization-Wide Cybersecurity Risk Management Framework: The organisation should have a cybersecurity risk framework that includes controls to mitigate cybersecurity risks across the enterprise and ensures oversight of those controls
11. Fully Analyse and Communicate the Organisations Cybersecurity Risk Appetite: The board should analyse and communicate the cybersecurity risk appetite as part of risk management and decide which cybersecurity risks are acceptable and which must be avoided or mitigated

Question 4

Causes of the threat to IS security

Answer 4

A. Dramatic increase in the size and complexity of IT —> “Dark Web” sites, where unscrupulous middle- men peddle large amounts of sensitive information, now abound. Everything from customers’ passwords and credit card information to intellectual property is sold on these clandestine sites. Insiders are often willing to provide access to those assets in return for sums vastly less than their street value, contributing to the “cybercrime-as-a- service” industry.
B. Employees who use personal devices for work
C. Explosion in social media: they allow all sorts of information to leak from a company and spread worldwide, often without the company’s knowledge. They also provide opportunities to recruit insiders and use them to access corporate assets.`

Question 5

How to approach the IS security threat problem

Answer 5

1. Adopt a robust insider policy: address what people must do or not do to deter insiders who introduce risk through carelessness, negligence, or mistakes.
   * The policy must be concise and easy for everyone and apply to all levels of the organisation.

• Employees should be given tools that help them adhere to the policy
  2. Raise awareness: be open about likely threats so that people can detect them and be on guard against anyone who tries to get their assistance in an attack.
• Customise training to take into account what kinds of attacks workers in a particular operation might encounter (simple phone calls and emails can trick employees)
• Encourage employees to report unusual or prohibited technologies and behaviour
  3. Look out for threats when hiring: use screening processes and interview techniques designed to assess the honesty of potential hires.
  4. Employ rigorous subcontracting processes: ensure that your suppliers or distributors don’t put you at risk—by, for example, minimising the likelihood that someone at an external IT provider will create a back door to your systems.
• Seek out partners and suppliers that have the same risk appetite and culture your organisation does, which will make a common approach to cybersecurity much more likely.
• Ask potential suppliers during pre-contractual discussions about how they manage insider- related risk.
• If you hire them, audit them regularly to see that their practices are genuinely maintained.
  5. Monitor employees: Let them know that you can and will observe their cyberactivity to the ex- tent permitted by law. You cannot afford to leave cybersecurity entirely to the experts; you must raise your own day-to-day awareness of what is leaving your systems as well as what is coming in

Question 6

SEEING THE FOREST AND THE TREES: A META-ANALYSIS OF THE ANTECEDENTS TO INFORMATION SECURITY POLICY COMPLIANCE:
purpose of study

Answer 6

holistically investigate, via a meta-analytic approach, the findings of prior research on employees’ security policy compliance to help further illuminate this problem space and promote theoretical advancement.

Meta-analisys= a research technique that quantitatively synthesises the results of many independent, empirical studies that address similar research questions

Question 7

SEEING THE FOREST AND THE TREES: A META-ANALYSIS OF THE ANTECEDENTS TO INFORMATION SECURITY POLICY COMPLIANCE: findings

Answer 7

1. The relative strength of the link between employee attitudes/norms/beliefs and policy compliance,
2. The relative weakness of the link between rewards/punishment/threats and policy compliance,
3. The support for security policy compliance and violation as representing at least partially distinct concepts,
4. The inconsistent links between the antecedent categories and actual versus intended compliance,
5. The inconsistent links between general security policies versus specific policies and compliance,
6. The importance of selected antecedents for particular national cultures