The document discusses various aspects of cyber security, focusing on system administration security, network security, and application security. It outlines 11 functional areas of enterprise cybersecurity that need to be organized and managed. For each of the three areas highlighted, it describes the goals, threats, and key capabilities. The overall aim is to prevent attacks, detect intrusions, and enable forensic investigation through controls across different parts of the IT infrastructure and applications.

1. Lec-4: Cyber Security
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬

2. Enterprise Cybersecurity Architecture
• There are 11 functional areas which needs to be organized and managed
enterprise cybersecurity
1. System administration
2. Network Security
3. Application Security
4. Endpoint, Server, and Device Security
5. Identity, Authentication, and Access Management
6. Data Protection and Cryptography
7. Monitoring, vulnerability and patch management
8. High availability, Disaster recovery, and Physical Protection
9. Incident Response
10. Asset Management and supply chain
11. Policy, Audit, E-Discovery and Training

3. System administration Security

4. System administration
• Provides for securing administration of
• Enterprise infrastructure
• Security infrastructure
• Secure system administration is the foundation for enterprise security
measures

5. Reasons for targeting system administration
• Consolidation in IT
• Now a days system administrator controls thousands of computers, often
from a single console
• System administration security is poor
• Systems administration technology is relatively immature with few
built-in checks and balances to detect malicious activity or prevent in
the first place

6. System administration Goals and Objectives
• Goal
• To protect the enterprise's administrative channels from being used by
adversary
• Objectives
• Preventive (make it harder for the attackers to get system control)
• Detective (detect attacks on system administration channels or malicious
systems administration activity when it occurs)
• Forensics (focus on creating detailed audit logs of all privileged systems
administration activities)

7. SA: Threat Vectors
• Keeping attackers from conducting malicious systems administration
activities in the enterprise.
• Compromise credentials of system administrator
• Compromise the computer of system administrator
• Compromise the computing infrastructure (virtualization, storage etc) and use
the computing capabilities to take control of systems
• Compromise systems administration infrastructure (computer mangt. Patch
magt. Or other systems to take control of the enterprise
• Compromise monitoring systems that have administrative access
• Use local computer administrative accounts to move from one personal
computer to another with administrative rights

8. SA: Capabilities
• SA capabilities help
• Isolate command and control networks and protocols
• Provide cryptographic protection for systems administration
• Allow for auditing of systems administration activities to detect attacks
• In this functional area, it is good to have redundancy in protection.
• For example, using network isolation along with strong authentication helps
ensure that the breach of one protection mechanism alone will not be
disastrous.

9. SA capabilities
• Bastion hosts
• Out-of-Band (OOB) management
• Network isolation
• Integrated Lights-Out (ILO), Keyboard Video Mouse (KVM), and power
controls
• Virtualization and Storage Area Network (SAN) management
• Segregation of administration from services
• Multi-factor authentication for Systems Administrators (SAs)
• Administrator audit trail(s)
• Command logging and analytics

10. Network Security

11. Network Security
• Purpose
• To protect the enterprise network from unauthorized access
• Needs to be considered in terms of the following security controls
• Preventive control (firewall and separate sections of the network from each
other)
• Detective control (IDS: detect attacker activity that cannot be blocked)
• Monitoring control (capture activity that is input to correlation engines that
support forensics.)

12. Containment capability
• Containment involves
• isolating attacker activity in one part of the enterprise (for example, end-user
workstations or Internet-facing web servers) from other IT functions such as
financial systems in order to provide for a layered defense

13. NS: Goals and Objectives
• Block malicious traffic
• Monitor and analyze network traffic
• Log information about network traffic

14. NS: Threat Vectors
• Attackers enter the enterprise through outbound network connections from
servers or clients on the internal network.
• Attackers enter the enterprise through the network connections of Internet-
facing servers.
• Attackers use internal networks to move laterally between computers inside the
enterprise.
• Attackers use enterprise networks to extract data and remove it from the
enterprise.
• Attackers take control of network infrastructure components and then leverage
them to gain entry to the enterprise or to bypass other security measures.

15. NS: Capabilities
• Switches and routers
• Software Defined Networking (SDN)
• Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP)
• Network Time Protocol (NTP)
• Network service management
• Firewall and virtual machine firewall
• Network Intrusion Detection/Network Intrusion Prevention System (IDS/IPS)
• Wireless networking (Wi-Fi)
• Packet intercept and capture
• Secure Sockets Layer (SSL) intercept
• Network Access Control (NAC)
• Virtual Private Networking (VPN) and Internet Protocol Security (IPSec)
• Network Traffic Analysis (NTA)
• Network Data Analytics (NDA)

16. Application Security

17. Application Security
• Application security involves security measures that are specific to
certain applications or protocols running over the network.
• By this simple definition, application security technologies and capabilities
include
• e-mail security
• application-aware firewall features
• database gateways
• forward web proxies.
• Application security operates alongside network security.

18. AS: Goal and objectives
• Goal
• to protect the enterprise applications from use or attack
• Objective
• The preventive objective is to block exploitation of applications and
application communications protocols for malicious use.
• The detective objective is to detect compromises of applications and attempts
to exploit them for malicious purposes.
• The forensic objective is to log data about application activity that can be
used for audits and investigations of incidents.
• The audit objective is for auditors to be able to collect evidence and artifacts
that suggest that applications are safe and not being used or manipulated by
attackers.

19. AS: Threat Vectors
• Initial entry by leveraging email to send malicious
messages(attachment or links) to users.
• For gaining control of end user, servers, mobile device
• Leverage vulnerabilities in web browsers and web-plugins
• For gaining control
• Exploiting vulnerabilities in enterprise server applications.
• For gaining control
• During the development of an application the attacker may find and
then exploit the flaw of software for gaining control

20. AS: Capabilities
• E-mail security
• Web-shell detection
• Application firewalls
• Database firewalls
• Forward proxy and web filters
• Reverse proxy
• Data Leakage Protection (DLP)
• Secure application and database software development
• Software code vulnerability analysis (including source code verification and
bug tracking)

21. Continued………. Next Lecture
• Endpoint, Server, and Device Security
• Identity, Authentication, and Access Management
• Data Protection and Cryptography

22. Thank You
For Your Patience