UNSW Business School

INFS1701 Introduction to Networking and Security

Week 05 The People, Processes, and

Technology of Cybersecurity (Part I)

Lecturer-in-Charge: Dr. Pranit Anand (

2
 3
Copyright
• There are some file-sharing websites that specialise in buying and selling
academic work to and from university students.

• If you upload your original work to these websites, and if another

student downloads and presents it as their own either wholly or
partially, you might be found guilty of collusion — even years
after graduation.

• These file-sharing websites may also accept purchase of course

materials, such as copies of lecture slides and tutorial handouts. By law,
the copyright on course materials, developed by UNSW staff in the
course of their employment, belongs to UNSW. It constitutes copyright
infringement, if not academic misconduct, to trade these materials.
 4
Outline
• High-level Overview of NIST CSF v1.1

• Managing Cyber Risks

• Cyber Threat Intelligence

• Zero Trust Architecture

 5

High-level Overview of
National Institute of
Standards and Technology
Cybersecurity Framework
(NIST CSF) v1.1
 6
National Institute of Standards and
Technology Cybersecurity Framework
 7

Managing Cyber
Risks
 8
Risks vs. Controls

Not every threat results in

an attack, and not every
attack succeeds.

Success depends on the

degree of vulnerability, the
strength of attacks, and the
effectiveness of any
countermeasures in use.
 9
Risk Management

Risk management is the process of

identifying, assessing, and
addressing risk. The goal of risk
management is to proactively
reduce the likelihood that risks
turn into issues, and to minimise
negative impact when issues do
occur.
Recall: Threat, Vulnerability, & 1
0
Risk
Risk = Threat x Vulnerability

Risk Threat Vulnerability

The probability A potential A weakness or a

that a particular danger that shortfall that can
threat will might exploit an be exploited
exploit a = underlying x
particular vulnerability to
vulnerability with cause harm
a particular
harmful outcome
 1
How to Deal With A Risk? 1

TEAM

• Risk avoidance: Eliminate the risk by either Eliminate

countering the threat or removing the vulnerability
• Risk transference: Shift the risk to another system or Transfer
entity; e.g., buy insurance to compensate for potential
loss Mitigate
• Risk limitation: Limit the risk by implementing
controls that minimise resulting loss Accept
• Risk acceptance: Accept the potential for loss and
continue operating the system
 1
Scenario 2

You have been working hard to convince your manager that

your company should move to cloud. You finally closed the
deal and received funding! But…

What about the risks?

 1
Scenario 3

• The likelihood that known threats exploit vulnerabilities –

What data are stored on the cloud? Anything an attacker
would be interested in? Any known vulnerabilities?

• The potential impact – Financial, operational, and

reputational

Every organisation has a unique risk appetite

 1
4

Know Your Enemy and Know

Yourself
 1
The Current Threat Landscape 5

Incident – A security event that

compromises the confidentiality,
integrity, and/or availability of an
information asset.

Breach – A confirmed disclosure of

data to an unauthorised party.

Source: Verizon – Data Breach Investigations Report (DBIR) 2022

 1
Threat Modelling 6

Threat modelling is the first

step to start making sense
of the vulnerability
landscape.

Examples: bowtie analysis,

FAIR, Bayesian probabilistic
theory, STRIDE, MITRE
ATT&CK, kill-chain analysis –
but really, it is just about
understanding what could
potentially happen.
Tiffany Liu, MIT
 1
Threat Actors 7

Opportunistic/Script Kiddies

Insiders (including third parties)

Organised Criminals

Hacktivists

Competitors

Nation States
 1
8

Cyber Threat Intelligence

 1
Organisational Cybersecurity 9
Management

• Difficult to gauge the risk and hence time and

resource investment
• Who is doing what – Interrelated decisions and
complexity
• Unhelpful stereotypes about cybersecurity
management

“This all comes down to judgement”

 2
Cyber Threat Intelligence (CTI) 0

• A lot of definitions out there

• Intelligence = Analysed information that can be used
to inform action

The purpose of CTI is to increase awareness and

understanding on the organisation’s threat landscape
(often in most efficient ways possible) and to inform
decisions
 2
Cyber Threat Intelligence (CTI) 1

Data

Information

Intelligence

Source: CyberEdge Group – The Threat Intelligence Handbook, Second Edition

 2
Cyber Threat Intelligence (CTI) 2

• Tactical -> Study threat

actors’ information
• Operational -> Guide
incident responses
• Strategic -> Provide an
overview of the threat
landscape

Source: CyberEdge Group – The Threat Intelligence Handbook, Second Edition

Why Do We Need Cyber Threat 2
3
Intelligence (CTI)?

• Organisations are facing

increasing cyber threats
• Most organisations are also
experiencing skill shortages
• They need a way to quickly
understand the fast-
changing threat landscape
• They need an evidence-
based way to make decisions
Cyber Threat Intelligence (CTI) 2
4
Sources

• Cyberthreat Real-time Map (

[Link]
• Fireeye Cyber Threat Map (
[Link]
[Link]
)
• BugTraq (
[Link]
)
• Search Vulnerability Database (
[Link]
• ...
CTI Case Study - Data and 2
Machine Learning for Phishing 5

Resilience
• Lack of an evidence-based approach

• Generic email and educational page templates

• Education/awareness team working in silos

• Lack of measures to justify impact and communicate with

different stakeholders
CTI Case Study - Data and 2
Machine Learning for Phishing 6

Resilience
CTI Case Study - Data and 2
Machine Learning for Phishing 7

Resilience
CTI Case Study - Data and 2
Machine Learning for Phishing 8

Resilience
Our analysis reveals the strongest predictor of phishing
susceptibility…
 2
9

Zero Trust Architecture

 3
Traditional Model 0

Trusted zone Untrusted zone

 3
Issues on Traditional Model 1

Perimeter-based networks
operate on the assumption Problems/Issues:
that everything, including • Not designed to accommodate
devices, users, etc., within a modern work styles, e.g., Bring
network can be trusted. Your Own Device (BYOD), Bring
Your Own Cloud (BYOC), etc.
• Insider actors – What if an
endpoint, e.g., a workstation,
within the trusted boundary is
compromised?
• Remote work
• …

Image source: Cloudflare

 3
What/Who Can You Trust? 2

• Users cannot be trusted!

• Networks cannot be trusted!
• …

Minimise ‘trust’!

Source: Verizon - Data Breach Investigations Report (DBIR) 2022

 3
Zero Trust 3

Zero Trust (ZT) is a cybersecurity paradigm focused on resource

protection and the premise that trust is never granted implicitly
but must be continually evaluated.

Zero Trust Architecture (ZTA) is an end-to-end approach to

enterprise resource and data security that encompasses identity
(person and nonperson entities), credentials, access
management, operations, endpoints, hosting environments, and
the interconnecting infrastructure.

Source: NIST SP 800-27 Zero Trust Architecture

 3
Zero Trust – Seven Tenets 4

Consider all data sources and computing services as resources

Secure all communications

Grant access to a single resource at a time

Make access policies dynamic, e.g., using time, location, previously observed
behaviour, …

Monitor security posture of all assets

Continually re-evaluate trust

Collect and use data to improve security posture

Source: NIST SP 800-27 Zero Trust Architecture

 3
Device and Identity Conditions 5

• Device Health Conditions

• Machine risk level – Is the machine compromised? …
• Integrity check – Are firmware not being altered? …
• Compliance policy check – Is an OS security setting missing? …

• Identity Conditions
• User’s risk level – Credential leaked? …
• Sign-in from – A known IP address? An anonymous IP address? An
unauthorised web browser (e.g., Tor) ? An unfamiliar location? …
• Suspicious sign-in – High number of failed attempts? Matched traffic
patterns used by attackers? …
Zero Trust – Conditional Access 3
6
Control

Source: GlobalDots
 3
Benefits of Using Zero Trust 7

• Offer threat protection against both internal and external

threats
• Provide increased visibility into all user access
• Limit the possibility of data exfiltration
• Secure cloud adoption
• Ensure data privacy
• Enable hybrid workforce security
• Lower reliance on endpoint protection
• Support regulatory compliance

Source: Secude – 8 Benefits of Implementing a Zero Trust Architecture