University of Maryland, University College CYB 670 Cybersecurity Policy and Baseline Analysis Report.

Document Content and Description Below

University of Maryland, University College CYB 670 Cybersecurity Policy and Baseline Analysis Report  CYB 670 - UMUC TABLE OF CONTENTS TEAM MEMBERS ------------------------------------------... ---------------------------------------- 3 CYBER POLICY REPORT ------------------------------------------------------------------------ 4 CYBER POLICY MATRIX ------------------------------------------------------------------------ 4 TRANSNATIONAL LEGAL COMPLIANCE REPORT -------------------------------------- 5 INTERNATIONAL STANDARDS REPORT ----------------------------------------------------8 SECURITY BASELINE REPORT ---------------------------------------------------------------- 10 System Integrity Checks -------------------------------------------------------------------- 10 Practices to Follow to Maintain System Integrity --------------------------------------- 11 Major types of malware -------------------------------------------------------------------- 12 Network Forensics -------------------------------------------------------------------------- 14 Wireshark features ---------------------------------------------------------------------------17 Building the Security Baseline -------------------------------------------------------------21 ATTRIBUTION REPORT -------------------------------------------------------------------------- 25 The Attribution Corroboration Mythology ----------------------------------------------- 27 FORENSIC ANALYSIS REPORT -----------------------------------------------------------------26 NETWORK SECURITY CHECKLIST ----------------------------------------------------------- 29 SYSTEM SECURITY RISK AND VULNERABILITY ASSESSMENT REPORT -------- 32 Attack Vectors ---------------------------------------------------------------------------------32 Common Authentication and Credentials Attack & Mitigation ------------------------33 Man-In-The-Middle Attacks & Mitigation ---------------------------------------33 Replay Attacks -----------------------------------------------------------------------34 Cross-site Request Forgery (XSRF or CSRF) -----------------------------------34 Significance of Public-Key Infrastructure ---------------------------------------34 CHAIN OF CUSTODY FORM ---------------------------------------------------------------------35 DIGITAL FORENSIC ENVIRONMENT REVIEW AND ANALYSIS ----------------------38 APPENDICES -----------------------------------------------------------------------------------------41 REFERENCES ---------------------------------------------------------------------------------------42 Cyber Policy Report The United States, in cooperation with the United Kingdom, Australia, Canada, and New Zealand established an agreement known as the Five Eyes (FVEY) alliance under which these countries agree to both collect, analyze, and share signals intelligence (SIGINT) and not spy on each other as adversaries (Mansfield, 2017). The members of FVEY use their technical capabilities to collect massive amounts of information on electronic communications world-wide, to target specific individuals and groups, and to retain information about other persons for extended periods of time. This data is collected at “Special Source Operations” (SSO) locations around the globe and stored in the Five Eyes nations’ databases (Parsons, 2015). Cyber Policy Matrix New Zealand is increasingly reliant on information communication technology and an open, trusted Internet. Internet connectivity is integral to New Zealand’s economic growth and international competitiveness. But this technology provides opportunities for those with criminal or hostile intentions. The 2015 Cyber Security Strategy signals the Government’s commitment to ensuring New Zealand is safe, resilient and prosperous online. New Zealand’s scale and relatively simple telecommunications and network structure enables the public and private sector to work closely together to embed a cyber security culture, and to respond nimbly to evolving cyber risks (New Zealand Govt, 2016). A spreadsheet of New Zealand’s Cyber Policy Matrix is attached with this report. Cybersecurity Policy and Baseline Analysis Report 5 Transnational Legal Compliance Report The International Organization for Standardization ISO 19600 standard is one of the primary international rule nations use to handle regulatory compliance. It married compliance and risk together sharing a common framework with some nuances to account for their differences. International standards like the ISO/IEC 27000 family of standards help organizations meet regulatory compliance with their security management and assurance best practices (Tattam, 2015). The Corporate Governance Code for the UK, issued by the Financial Reporting Council (FRC) sets standards of good practice about board leadership and effectiveness, remuneration, accountability, and relations with shareholders. The Listing Rules required all companies with a Premium Listing of equity shares in the U.K. to report how they have applied the Combined Code in their annual report and accounts (FRC, n.d). Very similar to the US Sarbanes–Oxley Act which mandates all publicly-traded companies to apply and give their accounting controls to the SEC for compliance to show that financial data are accurate and adequate controls are in place to safeguard it. When organizations strive to comply, IT systems often automate most or all data acquisition, data management, and reporting activities. Therefore, information security is the foundation for any solution as IT infrastructure is at the core of any nations compliance effort. It is difficult for any technical safeguard to succeed, because, without security, data management, data isolation, and data integrity cannot be assured (FRC, n.d). Security Assessment which identifies gaps in the current security posture of the environment is similar among the nations. Also, is Vulnerability Assessment Scanning of the physical and application environment to validate and tightened security posture. Data Loss Prevention, which identifies critical data, location, and assists in preventing its outflow. Also, Cybersecurity Policy and Baseline Analysis Report 6 Network Access Control safeguards the perimeter and enhances endpoint security, and Managed Security Services to reduce time and cost of monitoring and testing and provide auditing reporting and security event management (CautelaLabs, n.d). Similar to the US and UK, the Reserve Bank of Australia (RBA), the Australian Prudential Regulation Authority (APRA), the Australian Securities and Investments Commission (ASIC), and the Australian Competition and Consumer Commission (ACCC) help to ensure financial institutions meet their promises, that transactional information is well documented, and that competition is fair while protecting consumers (Pearson, 2009). Compliance regulations are AS ISO 19600:2015 (which supersedes AS 3806-2006) - a standard which helps organizations with compliance management, emphasizing the organizational elements that are required to support compliance while also recognizing the need for continual improvement (CompliSpace, 2016). For Canada, the OSFI using the Bank Act, and FINTRAC, using the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, 2001 (PCMLTFA) protect consumers, regulate how risk is controlled and managed, and investigate illegal activities such as money laundering and terrorist financing. Compliance regulation is ISO 19600:2014 - an international compliance standard that guides an effective and responsive compliance management system within an organization. Also, Canada's E-13 Regulatory Compliance Management provides specific compliance risk management tactics (Office of the Superintendent of Financial Institutions, 2014). Australia, Canada, New Zealand, the United Kingdom, and the United States have a similar impact analysis system with regards to the scope of coverage, quality control, costbenefit analysis, and the consideration of effects on competition and market openness. In these Cybersecurity Policy and Baseline Analysis Report 7 countries, burden reduction policies have been strongly linked with ex-ante assessment processes. A primary objective of these procedural controls on the substance of proposed regulation is to ensure that a rational approach to the achievement of policy goals has been taken during policy development and that this has been informed by the involvement of a wide range of affected groups. Cyber regulation for these countries has similar objectives and tactics, which include requiring organizations to: - Employ a risk-based approach to understand the cybersecurity threats they face, and to implement a cybersecurity program to address those threats. - Promote a governance structure for its cybersecurity program to drive accountability. - Identify systems that are subject to enhanced security controls - Monitoring systems that prevent a breach of security information system. - Implement incident response and escalation programs to identify and respond to violations and secure communication network to notify regulators and affected individuals promptly. - Periodically testing the cybersecurity program. Most compliance requirements aim at protecting the confidentiality, integrity, and availability of information. These impacts a nation's stakeholders and their vital goals are to establish and implement controls. Identify and remediates vulnerabilities and any deviation to maintain, protect, and assess compliance issues (Deloitte, 2018). Nations are challenged daily, by malevolent cyber operations. The Tallinn 2.0 examines the international legal framework that applies to such cyber operations. The relevant legal regimes include the law of state responsibility, the law of the sea, international telecommunications law, Cybersecurity Policy and Baseline Analysis Report 8 space law, diplomatic and consular law, and, concerning individuals, human rights law. Tallinn 2.0 also explores how the general principles of international law, such as sovereignty, jurisdiction, due diligence, and the prohibition of intervention, apply in the cyber context (Leetaru, 2017). International Standards Report The most critical challenges to global security are through Information and communications technology (ICT). There is an urgent need for cooperation among states to mitigate threats such as cybercrime, cyber-attacks on critical infrastructure, electronic espionage, bulk data interception, and offensive operations intended to project power by the application of force in and through cyberspace. Emerging cyber threats could precipitate massive economic and societal damage, and international efforts need to be recalibrated to account for this new reality (Dailey, 2017). Gathered intelligence aims to evaluate data and attempt to reduce uncertainty. Successful intelligence practices try to mitigate apparent ambiguity through accurate estimates and support the implementation of a successful policy. For modern intelligence to be successful, intelligence communities need to have the abilities to react to new threats, adapt and focus on relevant issues quickly and efficiently (Dailey, 2017). Therefore, having access to another nation intelligence efforts and observing different and at times more successful approaches can help in the fight. An initiative for cooperation among the members presents at the summit is the Five Eyes. Five Eyes has been extraordinarily successful, by any subjective or objective standard. It is a surveillance arrangement between the United States’ National Security Agency (NSA), the United Kingdom’s Government Communications Headquarters (GCHQ), Canada’s Communications Security Establishment Cybersecurity Policy and Baseline Analysis Report 9 (CSEC), the Australian Signals Directorate (ASD), and New Zealand’s Government Communications Security Bureau (GCSB). With Five Eyes' intelligence effort and agencies, there is a common theme of intelligence success among the nations (Dailey, 2017). There is no covert operation conducted by Five Eyes, and it is not a centrally organized entity but just a coalition of united independent intelligence agencies. It is the most detailed and enduring intelligence alliance in the world and is perfectly positioned to handle globalization challenges. Primarily a signals intelligence (SIGINT) organization - intelligence derived from electronic signals and systems used by foreign targets, such as communications systems, radars, and weapons systems. SIGINT provides a vital window for nations into foreign adversaries' capabilities, actions, and intentions. It now encompasses Human intelligence (HUMINT) - information that can be gathered from human sources, and geospatial intelligence (GEOINT) - intelligence about the human activity on earth through exploiting and analyzing imagery and geospatial information that describes, assesses, and visually depicts physical features and geographically referenced activities on the Earth. Also, MASINT (Measurement and Signatures Intelligence), and OSINT (Open-Source Intelligence). With increased transmissions of all kinds, SIGINT has become more valuable, thanks to globalization and the internet creating an environment where its collection and analysis is conducive. SIGINT is comprised of multiple fields and practices including cryptanalysis, traffic analysis, electronic intelligence, communications intelligence, and measurement and signature intelligence (Dailey, 2017). The alliance allows Five Eyes member nations to share the collection and analysis burden of global threats. It is difficult to know who does what but the collaboration has allowed its members to focus on distinct areas that they would ordinarily not have the resources to do on their own. “Governments across the Western world have responded and adapted, further Cybersecurity Policy and Baseline Analysis Report 10 integrating formerly separate intelligence capacities. As the technological barriers between information systems and previously stove-piped databases continue to fall, the sharing of data has become not merely possible, but routine (Asher, 2018). Security Baseline Report In a business as well as organization an asset is possession that have value and must be protected against attacks or loss. One asset that is important to protect is information along with information systems. Organizations spend money to gain information since it is an asset to producing goods and services. Most common examples of this would be customer and vendor lists, sales plans, and marketing strategies. The reason information systems are an asset to an organization is because each component of the system costs money to purchase and replace. Furthermore, asset security is fundamental part to cybersecurity. “The cybersecurity measures required to protect business assets are determined by identifying the assets that require protection and then assessing the specific threats and vulnerabilities (for each asset or type of asset) that are present in the organization's operating environment” (2017, UMUC). Critical infrastructure asset provides essential services that serve as a backbone to an organization security. Critical infrastructure needs to maintain strong, secure and resilient in an organization. It is the responsibility of the users as well as the organization to be mindful of this. Some examples of critical infrastructure are interrupted power supply to organization, data backups, physical access controls to buildings, law enforcement, etc. Therefore, critical infrastructure assets in an organization must have a baseline analysis which will establish a minimum of set safeguards to protect the system. System Integrity Checks [Show More]

Last updated: 2 years ago

Preview 1 out of 44 pages